Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
epinheiro
Staff
Staff

Created on ‎10-25-2024 04:51 AM

Article Id 352606

Technical Tip: Monitoring GRE tunnel with keepalive

Description This article describes how to monitor GRE tunnel using keepalive.
Scope FortiGate, GRE Tunnel, GRE over IPsec.
Solution

The GRE tunnel interface will always be 'up'. This means that the same route will still be used even when the remote GRE tunnel is down.

To work around this, configuring keepalive or a link monitor is recommended.

 

For link monitor configuration:

Technical Tip: GRE Tunnel monitoring 

 

By default, GRE keepalive is set to '0' on FortiGate, which means that keepalive is disabled:

 

2024-10-25_11_51-001332.jpg

 

After setting the desired 'keepalive-interval', keepalive will be running and start monitoring the tunnel. If no value is set for 'keepalive-failtimes', FortiGate will use '10' which is the default value:

 

2024-10-25_11_58-001333.jpg

 

With the keepalive properly configured and matching on local and remote ends, run 'diagnose sys gre keepalive' to monitor it:


2024-10-25_12_05-001335.jpg

 

 When the keepalive fails according to the 'interval' and 'fail' timers, the routes via the GRE tunnel will be removed from the routing table.

  • Keepalive OK: 

2024-10-25_12_09-001336.jpg

 

  • Keepalive not OK:

2024-10-25_12_16-001340.jpg

 
343
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.