Skip to main content
Eric_Brown
Eric_Brown
New Member
August 12, 2016
Solved

WAN1 doesn't seem to be failing over as part of WAN LLB

  • August 12, 2016
  • 1 reply
  • 6465 views

FG-100D is configured with two WANs combined via WLLB. ISP for WAN1 has been flaky lately, dropping out for 30 seconds or so occasionally. I expected traffic to be immediately routed to WAN2, but in reality I have to manually disable WAN1 in the GUI in order for this to happen. The relevant parts of the config is below. I'm trying to determine whether I have something configured incorrectly in the Fortigate, or if the misconfiguration is occurring between my ears. Thanks in advance. Eric

 

5.04-FW-build1064

config system interface
    edit "wan1"
        set vdom "root"
        set ip 74.143.138.236 255.255.255.248
        set allowaccess ping fgfm
        set type physical
        set alias "isp1"
        set estimated-upstream-bandwidth 5000
        set estimated-downstream-bandwidth 50000
        set role wan
        set snmp-index 1
    next
    edit "wan2"
        set vdom "root"
        set mode dhcp
        set distance 20
        set allowaccess ping fgfm
        set type physical
        set alias "isp2"
        set estimated-upstream-bandwidth 1800
        set estimated-downstream-bandwidth 18000
        set role wan
        set snmp-index 7
    next
 end

config system virtual-wan-link
    set status enable
    set load-balance-mode measured-volume-based
    config members
        edit 1
            set interface "wan1"
            set gateway xxx.xxx.xxx.xxx
            set volume-ratio 7
        next
        edit 2
            set interface "wan2"
            set gateway yyy.yyy.yyy.yyy
            set volume-ratio 1
        next
    end

    Best answer by ede_pfau

    For remote failure detection you need to set up a pingserver target or link monitor (which is ambiguous - a link failure is always detected, loss of network connectivity not). I understood that creating a WAN LLB will set up a link monitor as well but maybe you skipped that step.

    Then, the default settings require to miss 5 pings each 3 seconds apart. You can alter these values to get a more responsive behavior, risking "link flapping". Depends on what you're willing to tolerate.

    1 reply

    gsarica
    gsarica
    New Member
    August 12, 2016

    We had this issue as well, I believe you might need to configure the WAN Status Check so that it knows to update the default WAN load balance static route when packet loss is detected.

     

    Also as a side note, we had the same issue with WAN1 dropping out for 30 seconds or so when we put in a Fortigate 100D along with our particular ISP. Their router had issues accepting Fortigate updates via port 53. Not sure if this is the same issue you're having or who your ISP is but going into System -> FortiGuard and changing the FortiGuard Filtering Port from 53 to 8888 cleared that right up.

     

    Edit: Just realized you're running a different firmware, we're on 5.4.1. Though I'm sure some of the options I mentioned are there, just in different places.

    ede_pfau
    SuperUser
    ede_pfauAnswer
    SuperUser
    August 13, 2016

    For remote failure detection you need to set up a pingserver target or link monitor (which is ambiguous - a link failure is always detected, loss of network connectivity not). I understood that creating a WAN LLB will set up a link monitor as well but maybe you skipped that step.

    Then, the default settings require to miss 5 pings each 3 seconds apart. You can alter these values to get a more responsive behavior, risking "link flapping". Depends on what you're willing to tolerate.

    Eric_Brown
    Eric_BrownAuthor
    New Member
    August 13, 2016

    Thank you!. I see now what I missed.  WAN Link Health is an option in the GUI as of 5.4.1, so I set it there. 

    Terms & ConditionsAccessibility statement