Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
msalman1
Staff
Staff

Created on ‎11-13-2019 07:26 AM

Article Id 197761

Technical Tip: Route exemption from link monitor

Description
This document shows how to avoid a route from being removed from the routing table when the link monitor kicks in.
Consider the below topology:


With the basic link monitor configuration, when the connection between ROUTER1 and INTERNET goes down, failover happens and thus even the traffic for 10.47.0.0/22 also fails over.

Notice, the link between HQ_FW and ROUTER1 is fine, also link between ROUTER1 and BR_FW is fine. Thus there was no need for the traffic going to 10.47.0.0/22 to fail over.

Below is the configuration on HQ_FW without the exemption:
#config router static
    edit 1
        set gateway 10.129.2.67
        set device "port3"
    next
 edit 2
        set gateway 10.169.2.67
        set distance 101                            <----- notice the distance is higher to make this as secondary route.
        set device "port4"
    next
 
 
 edit 3
        set dst 10.147.0.0 255.255.252.0            <----- Static route.
        set gateway 10.129.2.67
        set device "port3"
    next


#config system link-monitor
    edit "WAN1_Failover"
        set srcintf "port3"
        set server "8.8.8.8"
        set gateway-ip 10.129.2.67
    next
    edit "WAN2_Failover"
        set srcintf "port4"
        set server "8.8.8.8"
        set gateway-ip 10.169.2.67
    next
end
Route before failure:

S*      0.0.0.0/0 [10/0] via 10.129.2.67, port3                              <----- internet.
S       10.147.0.0/22 [10/0] via 10.129.2.67, port3                        <----- static route.

Below snip is continuous ping during a failover:


Route after failure:

S*      0.0.0.0/0 [101/0] via 10.169.2.67, port4                             <----- internet and branch traffic both now use this.

Notice, there is no more specific route for 10.147.0.0 network, also there were few drops.

Solution
To avoid fail over of the traffic for branch, we can use the “link-monitor-exempt” command:
#config router static
    edit 3
        set dst 10.147.0.0 255.255.252.0
        set gateway 10.129.2.67
        set device "port3"
        set link-monitor-exempt enable               <---- extra line added.
    next
end
Now compare the new pings and the route after a failover, the ping to internet dropped but the ping to the branch did not drop.


S*      0.0.0.0/0 [101/0] via 10.169.2.67, port4
S       10.147.0.0/22 [10/0] via 10.129.2.67, port3

Both the routes are present, Branch is going through port3 and internet is going through port4

Labels:
6581
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.