Description
This article describes command to find the link and link-monitor process status.
Solution
Use below command to fetch the complete link-monitor settings done in the FortiGate:
#show full-configuration system link-monitor
aegon-kvm20 # show full-configuration system link-monitor
# config system link-monitor
edit "wan1"
set addr-mode ipv4
set srcintf "port3"
set server "8.8.8.8"
set protocol ping
set gateway-ip 0.0.0.0
set source-ip 0.0.0.0
set interval 500
set failtime 5 <----- Number of retry attempts before the server is considered down.
set recoverytime 5 <----- Number of successful responses received before server is considered recovered.
set ha-priority 1
set update-cascade-interface enable
set update-static-route enable
set status enable
next
edit "wan2"
set addr-mode ipv4
set srcintf "port4"
set server "8.8.8.8"
set protocol ping
set gateway-ip 0.0.0.0
set source-ip 0.0.0.0
set interval 500
set failtime 5
set recoverytime 5
set ha-priority 1
set update-cascade-interface enable
set update-static-route enable
set status enable
next
end
Use below command to fetch the link-monitor status in the FortiGate:
aegon-kvm20 # diagnose sys link-monitor status
Link Monitor: wan1, Status: die, Server num(1), Flags=0x9 init, Create time: Sun Apr 11 12:24:09 2021
Source interface: port3 (5)
Interval: 500 ms
Peer: 8.8.8.8(8.8.8.8)
Source IP(172.31.128.20) <<< Source ip used for link-monitor
Route: 172.31.128.20->8.8.8.8/32, gwy(172.31.128.20) <----- Route and gateway information.
protocol: ping, state: die <----- FortiGate has failed to get 5 continues ping response from 8.8.8.8 and link-monitor deamon has brought down port3 route
Packet lost: 100.000%
Number of out-of-sequence packets: 0
Recovery times(0/5) Fail Times(5/5) <-----
Packet sent: 766, received: 0, Sequence(sent/rcvd/exp): 767/0/0
Link Monitor: wan2, Status: alive, Server num(1), Flags=0x1 init, Create time: Sun Apr 11 12:30:26 2021
Source interface: port4 (6)
Interval: 500 ms
Peer: 8.8.8.8(8.8.8.8)
Source IP(172.31.192.20)
Route: 172.31.192.20->8.8.8.8/32, gwy(172.31.192.20)
protocol: ping, state: alive <<< link status of the source interfacce
Latency(Min/Max/Avg): 0.778/1.398/0.914 ms
Jitter(Min/Max/Avg): 0.000/0.605/0.091
Packet lost: 0.000%
Number of out-of-sequence packets: 0
Fail Times(0/5)
Packet sent: 13, received: 13, Sequence(sent/rcvd/exp): 14/14/15
It's important to keep in mind that after failover back from wan2 to wan1(when wan1 is restored) all sessions with SNAT enabled will continue to use wan2 till they are expired if snat-route-change is configured to "disable".
In sessions where SNAT is applied, the action depends on the following setting (which is disabled by default):
config system global
set snat-route-change [disable|enable]
end
When this setting is disabled (by default), after a routing change, established sessions with SNAT keep using the same outbound interface, as long as the old route is still active or they expire (even though the route is no longer the best).
When this setting is enabled, the routing information is flushed from the session table, just like it is when SNAT is not applied to a session.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.