Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ighita
Staff
Staff

Created on ‎05-20-2020 12:37 AM Edited on ‎11-23-2025 11:35 PM By Community Manager

Article Id 194904

Technical Tip: Probe-timeout option for virtual-wan-link health-check and system link-monitor

Description

 

This article describes how to configure the following option:
The probe timeout option allows the user to set a timeout for probe packets for the virtual-wan-link health-check and system link.
The probe packets are considered to be lost if the RTT of the probe packet is more than the configured value.

Solution


From CLI.

FortiOS v6.2.

 

config system virtual-wan-link
    config health-check
        edit <name>
            set probe-timeout

 

FortiOS v6.4, v7.0, v7.2, v7.4, and v7.6.

 

config system sdwan
    config health-check
        edit <name>
            set probe-timeout <-- Time to wait before a probe packet is considered lost (500 - 3600000 msec, default = 500).

 

If the latency to the health-check server is more than 500ms, then the health-check shows the dead status. Mostly, this can be seen in Satellite (VSAT) links. For example, the normal latency for a health-check server over the VSAT link is 550ms, so set probe-timeout to more than 550ms to keep the health-check alive.


There are five built-in Performance SLA's that are configured by default, namely: 'Default_DNS', 'Default_FortiGuard', 'Default_Gmail', 'Default_Google Search', and 'Default_Office_365'. Each may show a different probe-timeout, which is not equivalent to the default setting. However, creating a new Performance SLA will automatically assign the default value, which is 500ms.

Example:

There are 2 members in the SD-WAN setup, and one of the interfaces never comes up. Link2 always shows 100% packet loss and is perceived as dead.

 

diagnose sys sdwan health-check
Health Check(google_DNS):
Seq(1 Link1): state(alive), packet-loss(0.000%) latency(95.469), jitter(4.942) sla_map=0x0
Health Check(Test):
Seq(1 Link1): state(alive), packet-loss(1.000%) latency(105.085), jitter(6.899) sla_map=0x0
Seq(2 Link2): state(dead), packet-loss(100.000%) sla_map=0x0

 

However, the Ping Server is pingable, and sniffer shows replies as follows:


diagnose sniffer packet Link2 " host 9.9.9.9 and icmp" 4 0 l
interfaces=[Link2]
filters=[ host 9.9.9.9 and icmp]
2021-02-04 19:08:08.761765 Link2 -- 193.186.197.31 -> 9.9.9.9: icmp: echo request
2021-02-04 19:08:09.368816 Link2 -- 9.9.9.9 -> 193.186.197.31: icmp: echo reply
2021-02-04 19:08:10.764591 Link2 -- 193.186.197.31 -> 9.9.9.9: icmp: echo request
2021-02-04 19:08:11.373735 Link2 -- 9.9.9.9 -> 193.186.197.31: icmp: echo reply

 

The issue is happening because of the link latency period. 

 

Increase the probe-timeout from the default value of 500 to 1000. Increase the probe-timeout by using these commands:

 

config system sdwan

    config health-check

        edit "health_check_name"

            set probe-timeout 1000

        next

    end

 

Output:

 

diagnose sys sdwan health-check

Health Check(google2):

Seq(1 Link1): state(alive), packet-loss(0.000%) latency(91.629), jitter(4.065) sla_map=0x0

Seq(2 Link2): state(alive), packet-loss(1.000%) latency(609.786), jitter(2.783) sla_map=0x0

 

Both health check members show that it is healthy now.

 

Related article:

Troubleshooting Tip: SD-WAN performance SLA down 

Labels:
8331
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.