Skip to main content
VDOM001
VDOM001
Visitor III
April 26, 2025
Question

Frequent HA switching after setting link-monitor

  • April 26, 2025
  • 1 reply
  • 2568 views

We have been using link-monitor to monitor ping to GW, but after setting up link-monitor, HA switchover due to link monitor failure occurred frequently during periods of high traffic spikes.
When we checked the ping statistics of link-monitor, we found a temporary maximum latency of 475 ms, which is a very bad value. No switching occurred at that time.
The reason for the frequent occurrences is that the line became unstable due to user traffic.
Is it safe to assume that the ICMP packets in the link monitor are likely to have been affected by the unstable state of the line due to user traffic?
If so, can this be resolved by changing the timer value of the link monitor?
The current settings are interval 5000, failtime 3, and other default values.

1 reply

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
April 26, 2025

What's the ping destination? If it's not immediately connected, like pinging 8.8.8.8 or 1.1.1.1 on the internet, there are many hops inbetween and ICMP packets are often the least prioritized traffic on those routers.
Try using different protocol. I see other options below. The destination needs to respond though.

 

FortiGate-60F (testmon) # set protocol ?
ping PING link monitor.
tcp-echo TCP echo link monitor.
udp-echo UDP echo link monitor.
http HTTP-GET link monitor.
https HTTPS-GET link monitor.
twamp TWAMP link monitor.

Toshi

    VDOM001
    VDOM001Author
    Visitor III
    April 27, 2025

    @Toshi_Esumi 

    Thank you for contacting us.
    The destination for ping monitoring is the VIP of HSRP on the upper L3SW.
    Forti----->L2SW----->L3SW

     

    I don't think ICMP packets will be lost if the line is not tight, but speed/duplex from forti to L3SW is fixed 10/full.

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    April 27, 2025

    Did you mean 10Mbps or 10Gbps?
    If 10Gig, and if the 10Gig is nearly maxed out during the peaks, you probably have a capacity/topology design issues in your switching network, which has nothing to do with FGT HA. The failover wouldn't solve the traffic issue and the new HA primary would experience the same problem as long as the peak traffic continues.

    You should address the root problem instead of tweaking the parameters of link-monitor.

    Toshi

      Terms & ConditionsAccessibility statement