Skip to main content
jokes54321
jokes54321
New Member
April 5, 2021
Question

Object Tracking

  • April 5, 2021
  • 2 replies
  • 4411 views

I need to implement a backup route between our Datacenter 1500d and a branch 60e. The primary connection is MPLS and the backup link is VPN. The firewalls are running 6.0.12.  I've seen this asked a few times and the answer seemed to be using a Link Monitor to remove routes out a specific interface. It seems this would work if the issue was with the local link, but if the outage is somewhere in the middle of the MPLS network, this would not be a good solution.

 

In Ciscoland, I'd setup an IP SLA and Tracking to ping the remote side and reference that tracker in the ip route. If the remote side failed to respond to pings, the route would drop out of the routing table and the backup route would float in, effectively routing traffic over the IPSec tunnel.

 

It appears SDWan brings these capabilities, but SDWan in 6.0.12 isn't the greatest. Until a few known issues are ironed out of 6.2.x or 6.4.x, we're not in a position to upgrade.

 

I suppose another option is to start converting our branch office configurations to use BGP in MPLS, so the routing protocols can influence the routing, but we're looking to phase MPLS out over the next year or two and would hate to spin up a project and dedicate resources to something that is going away.

 

Any suggestions?

    2 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    April 5, 2021

    Link Monitor can ping the other end like IP SLA. User "set server x.x.x.x".

    lobstercreed
    lobstercreed
    New Member
    April 5, 2021

    I'm confused by the last statement of your first paragraph.  Isn't the whole purpose of the link monitor to detect downstream failure?  Local failure would happen automatically as routes are removed from the table if the destination interface is down.

     

    I've not used it personally (and am on 6.4 now), but it seems the ability to monitor a remote host via ping/etc is what is being described here:

    https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/978142/system-link-monitor 

    jokes54321
    jokes54321Author
    New Member
    April 5, 2021

    Hello,

     

    Thank you for forwarding this link. I reviewed the document you referenced, and if I interpreted it correctly, it almost seems to work backwards from what I need. It seems you add a Link Monitor exemption to the routes you don't want the Link Monitor to influence.

     

    I have roughly 50 remote sites on MPLS and need failover between MPLS and IPSec on at least 10 of them. This would be 10 link monitors. Do you know if multiple link monitor exemptions could be added to each static route?

     

    The more I talk through this configuration the more I feel it might be less work to convert the sites to BGP.  :)

     

    Denny

    Terms & ConditionsAccessibility statement