Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ighita
Staff
Staff

Created on ‎05-20-2020 12:37 AM Edited on ‎09-13-2023 06:28 AM By Moderator

Article Id 194904

Technical Tip: Probe-timeout option for virtual-wan-link health-check and system link-monitor

Description


The probe timeout option allows the user to set a timeout for probe packets for virtual-wan-link health-check and system link.
The probe packets are considered to be lost if the RTT of the probe packet is more than the configured value.

This article describes how to configure this option.

Solution


From CLI.

FortiOS 6.2.

 

config system virtual-wan-link
    config health-check
        edit <name>
            set probe-timeout

 

FortiOS 6.4, 7.0 and 7.2.

 

conf system sdwan
    config health-check
        edit <name>
            set probe-timeout <-- Time to wait before a probe packet is considered lost (500 - 3600000 msec, default = 500).

 

If the latency to the health-check server is more than 500ms then the health-check shows the dead status. Mostly this can be seen in Satellite (VSAT) links. For example, the normal latency for a health-check server over the VSAT link is 550ms then set probe-timeout more than 550ms to keep the health-check alive.

 

Example:

There are 2 members in the SD-WAN setup and one of the interfaces never comes up. Link2 always shows 100% packet loss and is perceived as dead.

 

diag sys sdwan health-check
Health Check(google_DNS):
Seq(1 Link1): state(alive), packet-loss(0.000%) latency(95.469), jitter(4.942) sla_map=0x0
Health Check(Test):
Seq(1 Link1): state(alive), packet-loss(1.000%) latency(105.085), jitter(6.899) sla_map=0x0
Seq(2 Link2): state(dead), packet-loss(100.000%) sla_map=0x0

 

However the Ping Server is pingable and Sniffer shows replies as follows:


diag sniffer packet Link2 " host 9.9.9.9 and icmp" 4 0 l
interfaces=[Link2]
filters=[ host 9.9.9.9 and icmp]
2021-02-04 19:08:08.761765 Link2 -- 193.186.197.31 -> 9.9.9.9: icmp: echo request
2021-02-04 19:08:09.368816 Link2 -- 9.9.9.9 -> 193.186.197.31: icmp: echo reply
2021-02-04 19:08:10.764591 Link2 -- 193.186.197.31 -> 9.9.9.9: icmp: echo request
2021-02-04 19:08:11.373735 Link2 -- 9.9.9.9 -> 193.186.197.31: icmp: echo reply

 

The issue is happening because of the link latency period. 

 

Increase the probe-timeout from the default value of 500 to 1000. Increase the probe-timeout by using these commands:

 

config system sdwan

    config health-check

        edit "health_check_name"

            set probe-timeout 1000

        next

    end

 

Output:

diagnose sys sdwan health-check

Health Check(google2):

Seq(1 Link1): state(alive), packet-loss(0.000%) latency(91.629), jitter(4.065) sla_map=0x0

Seq(2 Link2): state(alive), packet-loss(1.000%) latency(609.786), jitter(2.783) sla_map=0x0

 

Both health check members show that it is healthy now.

4150
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.