Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
adimailig
Staff
Staff

Created on ‎12-03-2023 11:14 PM Edited on ‎12-10-2024 08:47 AM By Moderator

Article Id 287345

Technical Tip: Link-Monitor behavior when Monitoring Server on Same Port/Interface but Different Gateway

Description This article describes the deployment of multiple gateways on the same subnet and also the behavior of link-monitor when monitoring the layer 3 (IP) connection with the gateway specified.
Scope FortiGate.
Solution Network Deployment and Connection:

Capture1.PNG

 

Here the FortiGate (192.168.200.2) has gateways on a different device but within the same subnet - GW_1 (192.168.200.1) and GW_2 (192.168.200.254). The gateways are reachable from the same outgoing interface (Port1).


config router static
    edit 1
        set gateway 192.168.200.1
        set device "port1"
    next
        edit 2
            set gateway 192.168.200.254
            set distance 100
            set device "port1"
        next
    end


Link-monitor is configured for IP connection passing through GW_1. It is necessary to set the gateway to specifically monitor the connection on GW_1 gateway 192.168.200.1.

 


config system link-monitor
    edit "GW_1"
        set addr-mode ipv4
        set srcintf "port1"
        set server-config default
        set server "8.8.8.8"
        set protocol ping
        set gateway-ip 192.168.200.1
        set source-ip 0.0.0.0
        set interval 500
        set probe-timeout 500
        set failtime 5
        set recoverytime 5
        set probe-count 30
        set ha-priority 1
        set update-cascade-interface enable
        set update-static-route enable
        set update-policy-route enable
        set status enable
        set diffservcode 000000
        unset class-id
        set service-detection disable
    next
end


When Link-Monitor is up/alive, the routing table shows that the default route is going to 192.168.200.1.

 

diag sys link-monitor status

Link Monitor: GW_1, Status: alive, Server num(1), HA state: local(alive), shared(alive)
Flags=0x1 init, Create time: Sun Dec 3 03:47:13 2023
Source interface: port1 (3)
Gateway: 192.168.200.1
Interval: 500 ms
Service-detect: disable
Diffservcode: 000000
Class-ID: 0
Peer: 8.8.8.8(8.8.8.8)
Source IP(192.168.200.2)
Route: 192.168.200.2->8.8.8.8/32, gwy(192.168.200.1)
protocol: ping, state: alive
Latency(Min/Max/Avg): 6.145/10.428/7.010 ms
Jitter(Min/Max/Avg): 0.023/3.889/0.601
Packet lost: 0.000%
Number of out-of-sequence packets: 0
Fail Times(0/5)
Packet sent: 1008, received: 1008, Sequence(sent/rcvd/exp): 1009/1009/1010

 

get router info routing-table database
<>

S 0.0.0.0/0 [100/0] via 192.168.200.254, port1
S *> 0.0.0.0/0 [10/0] via 192.168.200.1, port1
C *> 192.168.200.0/24 is directly connected, port1

 

When Link-Monitor goes down/dead, only the static route with the gateway is affected and removed from the routing table.
Route going to 192.168.200.1 is tagged as Inactive, while static route going to 192.168.200.254 is still active.
The default route failed over to 192.168.200.254.

diag sys link-monitor status

Link Monitor: GW_1, Status: dead, Server num(1), HA state: local(dead), shared(dead)
Flags=0x9 init log_downgateway, Create time: Sun Dec 3 03:47:13 2023
Source interface: port1 (3)
Gateway: 192.168.200.1
Interval: 500 ms
Service-detect: disable
Diffservcode: 000000
Class-ID: 0
Peer: 8.8.8.8(8.8.8.8)
Source IP(192.168.200.2)
Route: 192.168.200.2->8.8.8.8/32, gwy(192.168.200.1)
protocol: ping, state: dead
Packet lost: 11.000%
Number of out-of-sequence packets: 0
Recovery times(0/5) Fail Times(2/5)
Packet sent: 1246, received: 1232, Sequence(sent/rcvd/exp): 1247/1234/1235

 

get router info routing-table database
<>

Routing table for VRF=0
S *> 0.0.0.0/0 [100/0] via 192.168.200.254, port1
S 0.0.0.0/0 [10/0] via 192.168.200.1, port1 inactive
C *> 192.168.200.0/24 is directly connected, port1

 

When the IP connection (link-monitor) recovers, the static routes will automatically recover as well.
Also, the active gateway will fail over to GW_1 - 192.168.200.1.

diag sys link-monitor status

Link Monitor: GW_1, Status: alive, Server num(1), HA state: local(alive), shared(alive)
Flags=0x1 init, Create time: Sun Dec 3 03:47:13 2023
Source interface: port1 (3)
Gateway: 192.168.200.1
Interval: 500 ms
Service-detect: disable
Diffservcode: 000000
Class-ID: 0
Peer: 8.8.8.8(8.8.8.8)
Source IP(192.168.200.2)
Route: 192.168.200.2->8.8.8.8/32, gwy(192.168.200.1)
protocol: ping, state: alive
Latency(Min/Max/Avg): 6.831/10.159/8.740 ms
Jitter(Min/Max/Avg): 0.000/3.154/1.197
Packet lost: 85.000%
Number of out-of-sequence packets: 0
Fail Times(0/5)
Packet sent: 1555, received: 1247, Sequence(sent/rcvd/exp): 1556/1556/1557

get router info routing-table database
<>

Routing table for VRF=0
S 0.0.0.0/0 [100/0] via 192.168.200.254, port1
S *> 0.0.0.0/0 [10/0] via 192.168.200.1, port1
C *> 192.168.200.0/24 is directly connected, port1

 

Related article:

Technical Tip: Link monitor.
2188
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.