Fortinet Community

mchu_FTNT · ‎09-27-2019

Description
This article describes how to keep one or more static route in the routing-table when link-monitor is failing.

Solution
Multiple static routes can be configured on the FortiGate, but as long as the interface is physically up and the next-hop is reachable, the route will not be removed from the routing-table.

Link-monitor is a feature that allows the FortiGate to probe a server with different protocols ( ping, tcp-echo, udp-echo, http or twamp).
The advantage of this feature is to bring down some routes when the SLAs are not met.
One drawback is that when the link-monitor is failing, it will remove all static routes using this interface.

Here is a config example:

#config router static
    edit 1
        set gateway 192.168.0.1
        set device "port1"
    next
    edit 2
        set dst 192.168.2.2 255.255.255.255
        set gateway 192.168.0.1
        set device "port1"
    next
    edit 3
        set dst 192.168.3.3 255.255.255.255
        set gateway 192.168.0.2
        set device "port1"
    next
end

There are 2 static routes to different subnets and 1 default route. All of the routes are using port1.
A link monitor is also configured to monitor a server (8.8.8.8) with regular pings and gateway-ip as 192.168.0.1.

#config system link-monitor
    edit "test"
        set srcintf "port1"
        set server "8.8.8.8"
        set gateway-ip 192.168.0.1
    next
end

The routing table will be as follow:

# get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 192.168.0.1, port1
C       192.168.0.0/24 is directly connected, port1
S       192.168.2.2/32 [10/0] via 192.168.0.2, port1
S       192.168.3.3/32 [10/0] via 192.168.0.3, port1
C       192.168.21.0/24 is directly connected, port2

Whenever the link-monitor is failing, all static routes will be removed.

# diagnose sys link-monitor status
Link Monitor: test, Status: die, Server num(1), Flags=0x9 init, Create time: Wed Mar 10 01:32:41 2021
Source interface: port1 (3)
Gateway: 192.168.0.1
Interval: 500 ms
Peer: 8.8.8.1(8.8.8.1)
        Source IP(192.168.0.20)
        Route: 192.168.0.20->8.8.8.8/32, gwy(192.168.0.1)
        protocol: ping, state: die
        Packet lost: 100.000%
        Number of out-of-sequence packets: 0
                  Recovery times(0/5) Fail Times(2/5)
                  Packet sent: 1208, received: 0, Sequence(sent/rcvd/exp): 1209/0/0

The solution is to use a special option on the static route. This option is called “link-monitor-exempt”.
For example if it's required to keep default route, set it to “enable” for routes #1,

#config router static
    edit 1
        set link-monitor-exempt enable
    next
end

# get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 192.168.0.1, port1
C       192.168.0.0/24 is directly connected, port1
S       192.168.3.3/32 [10/0] via 192.168.0.2, port1
C       192.168.21.0/24 is directly connected, port2

Notice static route #2 is removed by the link-monitor but route #3 is still up, this is because route #3’s gateway IP is different with link-monitor gateway-ip, therefore link-monitor does NOT bring down static route #3.

Fortinet Community

Technical Tip: Prevent removal of all static routes when link-monitor is failing