Description

This article describes the command to find the link and link-monitor process status.

Scope

FortiGate.

Solution

Use the below command to fetch the complete link-monitor settings done in the FortiGate:

show full-configuration system link-monitor

aegon-kvm20 # show full-configuration system link-monitor
config system link-monitor
    edit "wan1"
        set addr-mode ipv4
        set srcintf "port3"
        set server "8.8.8.8"
        set protocol ping
        set gateway-ip 0.0.0.0
        set source-ip 0.0.0.0
        set interval 500
        set failtime 5                                        <----- Number of retry attempts before the server is considered down.
        set recoverytime 5                                    <----- Number of successful responses received before the server is considered recovered.
        set ha-priority 1
        set update-cascade-interface enable
        set update-static-route enable
        set status enable
    next
    edit "wan2"
        set addr-mode ipv4
        set srcintf "port4"
        set server "8.8.8.8"
        set protocol ping
        set gateway-ip 0.0.0.0
        set source-ip 0.0.0.0
        set interval 500
        set failtime 5
        set recoverytime 5
        set ha-priority 1
        set update-cascade-interface enable
        set update-static-route enable
        set status enable
    next
end

Use the below command to fetch the link-monitor status in the FortiGate:

aegon-kvm20 # diagnose sys link-monitor status

Link Monitor: wan1, Status: die, Server num(1), Flags=0x9 init, Create time: Sun Apr 11 12:24:09 2021
Source interface: port3 (5)
Interval: 500 ms
  Peer: 8.8.8.8(8.8.8.8)
        Source IP(172.31.128.20) <<< Source ip used for link-monitor
        Route: 172.31.128.20->8.8.8.8/32, gwy(172.31.128.20) <----- Route and gateway information.
        protocol: ping, state: die                           <----- FortiGate has failed to get 5 continuous ping responses from 8.8.8.8 and the link-monitor daemon has brought down port3 route.
                Packet lost: 100.000%
                Number of out-of-sequence packets: 0
                Recovery times(0/5) Fail Times(5/5)          <-----
                Packet sent: 766, received: 0, Sequence(sent/rcvd/exp): 767/0/0

Link Monitor: wan2, Status: alive, Server num(1), Flags=0x1 init, Create time: Sun Apr 11 12:30:26 2021
Source interface: port4 (6)
Interval: 500 ms
  Peer: 8.8.8.8(8.8.8.8)
        Source IP(172.31.192.20)
        Route: 172.31.192.20->8.8.8.8/32, gwy(172.31.192.20)
        protocol: ping, state: alive <<< link status of the source interfacce
                Latency(Min/Max/Avg): 0.778/1.398/0.914 ms
                Jitter(Min/Max/Avg): 0.000/0.605/0.091
                Packet lost: 0.000%
                Number of out-of-sequence packets: 0
                Fail Times(0/5)
                Packet sent: 13, received: 13, Sequence(sent/rcvd/exp): 14/14/15

It is important to keep in mind that after failover back from wan2 to wan1 (when wan1 is restored) all sessions with SNAT enabled will continue to use wan2 until they expire if snat-route-change is configured to 'disable'.

In sessions where SNAT is applied, the action depends on the following setting (which is disabled by default):

config system global
    set snat-route-change [disable|enable]
end

When this setting is disabled (by default), after a routing change, established sessions with SNAT keep using the same outbound interface, as long as the old route is still active or they expire (even though the route is no longer the best).
When this setting is enabled, the routing information is flushed from the session table, just like it is when SNAT is not applied to a session.

Related article:
Technical Tip: Link-Monitor Explained