Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sharmaj
Staff
Staff

Created on ‎04-06-2022 11:21 PM Edited on ‎10-16-2024 08:11 AM By Moderator

Article Id 208593

Technical Tip: MPLS and IPSEC tunnel redundancy with link monitoring and performance SLA

Description This article describes how to create redundancy with IPsec and MPLS links.
Scope All FortiGate versions.
Solution

This is regarding the scenario where the users are looking to create remote connectivity primarily with the MPLS link and secondarily as a redundant path to the IPsec tunnel.

 

Since the routes provided to both will be on the basis of the AD value/priority or the SD-WAN rules.

 

Along with the routing, the best recommendation will also be to create a link monitor.

 

To make efficient redundancy, a link monitor will be configured to keep the health of the interface in check. 

 

sharmaj_0-1649270836723.png

 

  • Performance SLA link health monitoring measures the health of links that are connected to SD-WAN member interfaces by either sending probing signals through each link to a server, or using session information that is captured on firewall policies and measuring the link quality based on latency, jitter, and packet loss.

  • Here, the server will be set as the remote gateway of the other peer's wan interface IP and when the probe packets are lost, the traffic will be automatically routed towards the IPsec tunnel considering the primary MPLS link is down.

  • SLA targets will make sure that if those targets are not matched, the routes on that link are removed from the SD-WAN link load balancing group, and traffic is routed through other links.

  • When the link is working again the routes are reestablished. This prevents traffic from being sent to a broken link and lost.

 

It is also possible to configure link monitoring if static routes are used for both the links from CLI, there is no option for GUI for the same:

 

When using link-monitor Primary and secondary should have the same Ad value and priority should differ to reestablish the active routes once the link status is UP.

 

For example Primary link AD value is 2 and priority is 1.

The secondary link AD value is 2 and the priority is 2.

 

If the Primary link goes down traffic will be shifted to the secondary and when the Primary link status is up routes are restored via the Primary link under active routes.


config system link-monito
    edit "1"
        set addr-mode ipv4
        set srcintf ''
        set protocol ping
        set gateway-ip 0.0.0.0
        set source-ip 0.0.0.0
        set interval 500
        set probe-timeout 500
        set failtime 5
        set recoverytime 5
        set probe-count 30
        set ha-priority 1
        set update-cascade-interface enable
        set update-static-route enable
        set status enable
    next
end

 

Related documents:

Technical Tip: Link monitor

Link health monitor
Labels:
3120
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.