Troubleshooting Tip: Possible reason for an interface being administratively 'down' when using SD-WAN
| Description | This article describes why an interface that is administratively 'up' in the configuration could be shown as administratively 'down' if SD-WAN is used. |
| Scope | FortiGate |
| Solution | In this example, port1 will be used to show the issue. The status of an interface can be checked with the following command (part of the output is omitted for better readability): FortiGate # get hardware nic port1 Name: port1 Driver: virtio_net Version: 1.0.0 Bus: 0000:00:06.0 HWaddr: 00:65:72:62:56:01 Permanent Hwaddr:00:65:72:62:56:01 State: down Link: down Mtu: 1500 [...] However, the interface is enabled, which can be checked both in the GUI in 'Network -> Interfaces' or in the CLI with the following command: FortiGate # show full system interface port1 | grep status set status up As shown in the previous output, port1 is configured as administratively up, but it is shown as administratively down. The following command can be used to check in which part of the configuration port1 is used (part of the output is omitted): FortiGate # show | grep port1 -f config system interface edit "port1" <----- set vdom "root" set ip 10.116.18.46 255.255.192.0 set allowaccess ping https ssh http telnet fgfm set type physical set snmp-index 1 next end [...] config system sdwan set status enable set fail-detect enable set fail-alert-interfaces "port1" <----- config zone edit "virtual-wan-link" next end end [...] In the output above, note once more that the interface is configured as administratively up (there is no 'set status disable' in the interface configuration, so the default option 'enable' is used). Furthermore, it can be noticed that port1 is configured as a fail alert interface in SD-WAN, and that fail-detect is enabled. With this configuration (fail-detect/fail-alert-interface on port1), if all SD-WAN members fail to meet the SLA, port1 will be administratively shut down. Note: port1 is not an SD-WAN interface - it is only an internal interface. Check SD-WAN members with the following command: FortiGate # config system sdwan FortiGate (sdwan) # show members config members edit 1 set interface "port9" set gateway 10.5.147.165 next edit 2 set interface "port8" set gateway 10.5.211.165 next end The SD-WAN SLA can be checked in the GUI under 'Network -> SD-WAN -> Performance SLAs' or on the CLI with the following command: FortiGate # diagnose sys sdwan health-check Health Check(PING_8.8.8.8): Seq(2 port8): state(dead), packet-loss(100.000%) sla_map=0x0 Seq(1 port9): state(dead), packet-loss(100.000%) sla_map=0x0 As shown in the output, the Performance SLA is failing and all members are considered dead due to the high packet loss. This is the reason port1 was shutdown. In this case, if no configuration change occurred, the issue would probably lie on the ISP or on the upstream network. Once the issue is resolved and at least one of the SD-WAN member is recovered, port1 will be automatically enabled again as shown below (part of the output omitted): FortiGate # diagnose sys sdwan health-check Health Check(PING_8.8.8.8): Seq(2 port8): state(alive), packet-loss(0.000%) latency(3.296), jitter(0.192), mos(4.403), bandwidth-up(9999978), bandwidth-dw(9999832), bandwidth-bi(19999810) sla_map=0x0 Seq(1 port9): state(dead), packet-loss(100.000%) sla_map=0x0 FortiGate # get hardware nic port1 Name: port1 Driver: virtio_net Version: 1.0.0 Bus: 0000:00:06.0 HWaddr: 00:65:72:62:56:01 Permanent Hwaddr:00:65:72:62:56:01 State: up Link: up Mtu: 1500 [...] |