Failover with link-monitor (LAN and IPsec VPN)

Question

Hi all,

We need dual access to a subnet: LAN (MPLS) and IPSEC VPN (Fortigate v6.0.7)

If LAN (MPLS) fail, IPSEC VPN get UP as fail-over.

Example in route:

S 192.168.1.0/24 [10/0] via 10.10.10.5, LAN (MPLS)
[10/0] is directly connected, VPNtunnel (IpsecVPN), [50/0]

Exmple Link_monitor:

config system link-monitor
edit "Monitor_subnet_1"
    set srcintf "LAN"
    set server "192.168.1.x"
    set gateway-ip 10.10.10.5
    set source-ip 10.x.x.x
    set update-cascade-interface disable
next

That work fine, but when we add another subnet:

S 192.168.44.0/24 [10/0] via 10.10.10.5, LAN (MPLS)
[10/0] is directly connected, VPNtunnel (IpsecVPN), [50/0]

edit "Monitor_subnet_44"
    set srcintf "LAN" *****
    set server "192.168.44.x"
    set gateway-ip 10.10.10.5
    set source-ip 10.x.x.x
    set update-cascade-interface disable
next

Get this error:
"Gateway is not unique for the same interface.
object set operator error, -7 discard the setting
Command fail. Return code -7"

That's a limitation, which are link-monitor alternatives? Or how we can fix this?

Any help will be apreciated

Thanks!

Toshi_Esumi · Accepted Answer

You didn't provide enough info to get those those destinations after leaving LAN interface. Of course SD-WAN would work but a lot more would be involved, including removing all configuration, which is referring "LAN" and "VPNtunnel" and re-configuring them from scratch with like "SD-WAN", then set up proper rules. To me routing protocol like BGP is easier.

Toshi_Esumi · Answer

One link monitor to one outgoing interface takes all static routes down toward the interface when it lost reachability. You don't need the second one.
If you want to fail over per a destination prefix, you need to use one of routing protocols.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded