Interdependence b/w Link Monitor and interface's "fail-detect"

Question

Hi!consider: config system link-monitoredit monitor_idsrcintf ifnameserver monitored_server:update-cascade-interface disableupdate-policy-route disableupdate-static-route disableend as I understand, this will cause interface ifname to be marked as failed if monitoring of monitored_server fails. This means all configured dependencies, including all static and dynamic routes, would become unavailable. Please correct me if wrong. I do not understand if the following is necessary and what effect/value it adds to above: config system interfaceedit ifname:fail-detect enablefail-detect-option link-down detectserverend Any one can answer?Thanks!

Toshi_Esumi · Answer

You meant like this, right?FortiGate-60F (vogus_server_monitor) # showconfig system link-monitor  edit "vogus_server_monitor"    set srcintf "wan1"    set server "100.64.0.1"    set update-cascade-interface disable    set update-static-route disable    set update-policy-route disable  nextendThe destination doesn't exist in my network and not pingable.FortiGate-60F # exe ping 100.64.0.1PING 100.64.0.1 (100.64.0.1): 56 data bytes--- 100.64.0.1 ping statistics ---5 packets transmitted, 0 packets received, 100% packet lossAs the result, the link-monitor status is "dead".FortiGate-60F # diag sys link-monitor statusLink Monitor: vogus_server_monitor, Status: dead, Server num(1), cfg_version=0 HA state: local(dead), shared(dead)Flags=0x1 init, Create time: Wed May 7 16:20:09 2025Source interface: wan1 (5)VRF: 0Interval: 500 msService-detect: disableDiffservcode: 000000Class-ID: 0Transport-Group: 0Class-ID: 0  Peer: 100.64.0.1(100.64.0.1)    Source IP(75.145.19.83)    Route: 75.145.19.83->100.64.0.1/32, gwy(75.145.19.86)    protocol: ping, state: dead        Packet lost: 100.000%        MOS: 4.350        Number of out-of-sequence packets: 0        Recovery times(0/5) Fail Times(2/5)        Packet sent: 103, received: 0, Sequence(sent/rcvd/exp): 104/0/0However, all routes are still there and I didn't lose anything including IPsec vpn over wan1("la-tos1" below).FortiGate-60F # get router info routing-t all---[snip]---Routing table for VRF=0S* 0.0.0.0/0 [10/0] via x.x.x.x, wan1, [1/0]                   [10/0] via x.x.x.x, wan2, [10/0]B 1.2.1.2/32 [20/0] via 10.242.0.1 (recursive via la-tos1 tunnel x.x.x.x), 08:49:47, [ 1/0]B 10.10.110.1/32 [20/0] via 10.242.0.1 (recursive via la-tos1 tunnel x.x.x.x), 08:49:4 7, [1/0]B 10.100.100.1/32 [20/0] via 10.242.0.1 (recursive via la-tos1 tunnel x.x.x.x), 08:49: 47, [1/0].......The bottom line is the link-monitor doesn't disable interfaces.And, the "fail-detection" on an interface is, I believe, only for aggregate interface or redundant interface. Nothing to do with link-monitor.https://docs.fortinet.com/document/fortigate/7.4.7/administration-guide/321562/failure-detection-for-aggregate-and-redundant-interfaceshttps://docs.fortinet.com/document/fortigate/7.4.7/administration-guide/567758/aggregation-and-redundancyToshi

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded