Zone - Link monitor ?

Question

Hello,

I have 2 differents sites, I must join site B from site A and site A from site B. I have 1 MPLS connection between these two sites (site to site) with one network equipement on each side. I have 1 VPN IPSEC connection between these two sites. MPLS and IPSEC interfaces are members of a Zone.

Administrative distance for both is setup to 10. Priority for IPSEC is 10 and 5 for MPLS.

I am located to the site A which is managed by my Fortigate 200E. The site B is managed by a Cisco ASA.

What I want it's to use MPLS first and if it's down for any reason use the IPSEC.

My problem is : If I simulate a failure by deactivating MPLS from site A, it's ok my Forti switchs to IPSEC but If i simulate a failure to the site B, my Forti continues to use MPLS beacause ( I think) the one on site A is still reachable.

How could I tell to Forti that if MPLS equipement on site B it's not reachable use the IP SEC ?

Regards,

Toshi_Esumi · Answer

When you take MPLS down on Site B side, the interface on the 200E is still up and routing won't change on the FGT.

As you already hinted yourself, you should use link-monitor over MPLS pinging the other end. It take those static routes out when it detects circuit down.

https://kb.fortinet.com/kb/documentLink.do?externalID=FD44679

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded