Problem with failover from WAN1 to WAN2

GeeWHIZ, have a look at this article: http://kc.forticare.com/default.asp?id=376&Lang=1 I am no expert by any means, but I was eventually able to get my FortiGate 60 work correctly in failover mode (actually failover & load sharing mode). I believe the trick you are looking for is that you need to have two static routes defined (one for WAN1, another for WAN2) and two firewall policies (allow everything from internal to WAN1 and everything from internal to WAN2). My two static routes are defined as: 0.0.0.0/0.0.0.0 10.231.135.73 wan2 10 and 0.0.0.0/0.0.0.0 172.16.2.85 wan1 10 where the IPs are naturally IPs assigned to me by my two internet providers. It may not be the best setup (as I said, I am no expert), but it does work for me. If you want failover only and no load sharing, then change one of the distances (tens in the example above) to something lower - the route with the lower distance will then be considered the primary one (the other taking over only if the primary one goes down). Oh... One More Thingâ„¢: to detect if a line is available or not, you have to set up Ping Servers, too. Go to System > Network > Interface and for both WAN1 and WAN2, enter (and enable) a correct Ping Server (use IP addresses of " gateways" your internet providers gave you). I am using 2.80, so things may be slightly different under 3.00, but three things should still be needed: two static routes, two basic firewall policies, and Ping Server entries.

Vondrack: Thanks for the reply. I have read this article several times in the last few days and still seem to be missing a key piece of information. I can now get two connections established, but can' t get the failover working. I have confirmed the 0.0.0.0/0.0.0.0 gateway-id routes for both WAN 1 (distance =10) and WAN 2 (distance=20). If I pull the plug on the WAN 1 connection and ping an external site, I get " Destination new unreachable" followed by " no reply" . I have confirmed via the Monitor that the static route for WAN 2 is being loaded when WAN 1 dies and the WAN 1 route is being reloaded when the connection is reestablished. However, the failover never happens. The docs mention a firewall policy to permit the routing of the traffic, but I can' t seem to get this working. Can someone provide me information on creating a firewall policy with WAN 1 as the source and WAN 2 as the destination? Thanks.

You need to have the distance on both routes identical. Once they are the same metric, then you need to go into the CLI and set a priority on them. To do this, follow these steps:

sh router static (to get the route #s) conf router static edit X (WAN1 default route #) set priority 1 next edit Y (WAN2 default route #) set priority 2 next end

Once you have the routes correct, then you just need to have your policies to allow traffic both directions and make sure you have the ping server set up as mentioned above.

GeeWHIZ... First... don' t rely on the doc in the Knowledge Center... it' s misleading and not entirely accurate... I' ve spoken with my SE and he' s looking at it. vondrack' s set up is the same as mine, except, i only use this for failover so my static routes look like this: Primary Internet connection: 0.0.0.0/0.0.0.0 216.141.111.1 WAN1 10 Failorver Internet connection: 0.0.0.0/0.0.0.0 67.37.15.73 WAN2 11 Make sure you set up Ping Servers for each interface. I don' t recommend the gateway addresses though. I would use an address on that is farther down the Infromation Superhighway like a DNS server or something that you know is always going to be up. And make sure that both interfaces are set to " Up" . I couldn' t get failover to work until I brought WAN2 " Up" ! Configure your policies. If want all traffic to go out over the failover connection, duplicate your Internal-to-WAN1 policies for Internal-to-WAN2. If not, you can specify traffic. For example... I use my failover for credit card processing... so if WAN1 goes down, I only allow the traffic over the failover for credit card transactions. When the primary connection comes backup, the traffic returns to normal based on my policies. Those are the three most important pieces... Ping servers, Routes, Policies. For troubleshooting, I used traceroute and checkip.dyndns.org to verify that the failover was working. You can change your Ping Server options too. In 3.0 build 319, it' s on the Options tab in the Network section. Change the Dead Gateway Detection values. I have the Detection Interval set to 4 seconds and the Fail-over Dectection set to 4 lost conscutive pings. I hope that helps.

Brad is the best.