Skip to main content
Tom985
Tom985
New Member
August 21, 2019
Question

Active-passive tunnels however no 1 tunnel preferred more

  • August 21, 2019
  • 1 reply
  • 4613 views

Hello.  I have a bit of an issue with a setup. and I'm not even sure it's possible on fortigate firewall. 

 

we have a setup between a cloud provider and a fortigate cluster on our side.  the setup consists of 2 tunnels:

IPSEC VPN 1 with a static route with a metric of 10

IPSEC VPN 2 with a static route with a metric of 20

 

we recently found out the cloud provider has a differnt way of setup: they use a random tunne( eg VPN 1)

if VPN 1 fails they use VPN2 but they will not start using VPN 1 again when it comes back up. 

they will keep using VPN 2 until that tunnel goes down, then they use VPN 1 again;  of course this is an issue:

if vpn 1 goes down we start using vpn 2, but when it comes back we start using vpn 1 again due to better metric. 

 

the other side starts using vpn 2 as soon as 1 goes down, but keeps using vpn 2, when vpn 1 comes back up we are using different tunnels. 

 

cloud provider engineer has stated they cannot change the config in their side to prefer vpn 1 tunnel more. 

so I was wondering can a fortigate be configured to mimic the cloud provider setup? 

 

eg:

use vpn 1 at first, if it goes down start using vpn 2, and keep using vpn 2 unitl that tunnel would go down due to issue? 

I believ setting the routes for both tunnel to the same metric would just unable load balancing which is also not what we want. 

 

 

 

    1 reply

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    August 21, 2019

    On the contrary, enabling both tunnels with the same metric is exactly what you want.

    Though you cannot load balance if the other side will only service one tunnel at a time, you need to provide both tunnels active at all times, that is, configuration-wise, not routing-wise.

     

    So in addition you need to shut down one tunnel, the one which doesn't forward traffic.

    For that, configure ping servers in the CLI (config system link-monitor, syntax depends on OS version). Your FGT will ping a (distant) host through both tunnels, one will fail and the FGT will remove the route of the failing tunnel from the routing table.

     

    Terms & ConditionsAccessibility statement