New Member

Solved

ping check wan failover

Forum|Forum|8 years ago
March 19, 2018
4 replies
22864 views

Hi

i have wan1 as my primary interface. I want to add a check that will set the interface down if theres any problem with it reaching internet. In that case i want wan2 to be the primary one.

How do i configure a check that will set wan1 in admin down?

thanks

Best answer by brycemd

It's CLI only beyond 5.2

config system link-monitor

edit 1

set srcintf wan1

set server 8.8.8.8 - or whatever you want to constantly ping

If it fails it removes the route so your wan2 route will become the default. There are other values to define if you want, but i believe the above is the minimum to get it working.

http://help.fortinet.com/cli/fos50hlp/54/Content/FortiOS/fortiOS-cli-ref-54/config/system/link-monitor.htm

brycemdAnswer

New Member

It's CLI only beyond 5.2

config system link-monitor

edit 1

set srcintf wan1

set server 8.8.8.8 - or whatever you want to constantly ping

If it fails it removes the route so your wan2 route will become the default. There are other values to define if you want, but i believe the above is the minimum to get it working.

http://help.fortinet.com/cli/fos50hlp/54/Content/FortiOS/fortiOS-cli-ref-54/config/system/link-monitor.htm

luckysantiago

New Member

gateway-ip is the gateway of the ISP right? is it required for link-monitor or it can stay on 0.0.0.0 since i already have gateway defined on static route.

ericli_FTNT

Staff

nordik24 wrote:
Hi

i have wan1 as my primary interface. I want to add a check that will set the interface down if theres any problem with it reaching internet. In that case i want wan2 to be the primary one.
How do i configure a check that will set wan1 in admin down?

thanks

You can take a look at the feature of SD-Wan which offer health-check and load-balance between your two Wan links.

nordik24Author

New Member

thanks for the clarification

sw2090

SuperUser

Probably the easiest way is to use the built in Loadbalancer (wan-link-load-blanace WLLB).

Set some ping check for availability (in 5.4 or greater this can all be done in webinterface, not sure about older versions though).

You could set WLLB to do volume based balancing with 100% of traffic on wan1 and none on wan2. This will then route all traffic to the internet via wan1 except if the ping check reports wan1 down. In this very case WLLB will automatically use wan2 instead.

This works fine here on over 16 FortiGates.

It however will not affect VPN Tunnels. If you want VPN Fallback you will have to have redundant tunnels on each wans and at least priority based routing. This is how I do this here with our ipsec Tunnels. There es one for every lan from every FGT to our FGT and priority based routing for the subnets going over those.

If then one wan on one side is down that tunnel will drop and it will switch to the second route over the second tunnel within a second.

luckysantiago

New Member

gateway-ip is the gateway of the ISP right? is it required for this link-monitor or it can stay on 0.0.0.0 since i already have gateway defined on static route. thanks!

luckysantiago

New Member

Just to clarify, IP Address of the wan interface or the gateway of the wan isp?

luckysantiago

New Member

I did this and failover works but, when the primary wan goes up it doesn't automatically revert back to primary and stays on backup link/wan.

But is can see on the routing monitor that primary goes back to route as well on the "get router info routing-table all" wan1 is set as default candidate

luckysantiago

New Member

This is working fine now, can i add third ISP?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded