Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
iskandar_lie
Staff
Staff

Created on ‎10-27-2022 01:06 AM Edited on ‎12-29-2025 08:55 AM By Community Manager

Article Id 228080

Technical Tip: SD-WAN health-check for IPsec Interface

Description This article shows how to configure correctly SD-WAN health-check for IPsec interface.
Scope SD-WAN, FortiGate.
Solution

Scenario:

 

  1. IPsec interface for internet access is used.
  2. These IPsec interfaces are members of the SD-WAN link.
  3. Monitor health-check of these 2 IPsec interfaces for SD-WAN performance SLA is aimed.

 

Simple diagram:

 

iskandar_lie_0-1666809000037.png

 

Users are behind subnet 192.168.100.0/24 with gateway 192.168.100.1 (FortiGate LAN interface).

Both IPsec interfaces are up. 

 

iskandar_lie_1-1666809043499.png

 

The SD-WAN health-check (called: ipsec_check):

 

SpokeB (sdwan) # show health-check ipsec_check

 

config health-check
    edit "ipsec_check" -> ping probe to server 1.1.1.1
        set server "1.1.1.1"
        set members 0 -> all members ipsec_1 & ipsec_2
    next
end

 

Note:
'set members 0' indicates that the health-check (ipsec_check) applies to all VWL link members.
For customer-configured health-check profiles, if no members are explicitly configured, the system will automatically append set members 0 to the profile.

 

These are confirmed to be dead among those that are up. 

 

SpokeB (root) # diagnose sys sdwan health-check
Health Check(ipsec_check):
Seq(1 ipsec_1): state(dead), packet-loss(100.000%) sla_map=0x0
Seq(2 ipsec_2): state(dead), packet-loss(100.000%) sla_map=0x0

 

By default, the IPsec site-to-site interface has no IP address:

 

  • The overlays do not have an IP address assigned to them. Therefore, FortiGate uses the address of the interface with the lowest index number  as the source address 

 

SpokeB (root) # show system interface ipsec_1

 

config system interface
    edit "ipsec_1"
        set vdom "root"
        set allowaccess ping https ssh snmp http fgfm
        set type tunnel
        set snmp-index 22
        set interface "port7"
    next
end

 

SpokeB (root) # show system interface ipsec_2


config system interface
    edit "ipsec_2"
        set vdom "root"
        set allowaccess ping https ssh snmp http fgfm
        set type tunnel
        set snmp-index 23
        set interface "port9"
    next
end

 

There are 2 workarounds available that it is possible to choose to solve this problem. 

 

Alternative 1:

  1. Define IP address on each IPsec interface – by default, IPsec site-to-site has no IP address. However since the ping mechanism needs an IP address to work properly, so the reachability can be acknowledged. 

 

This IP should be reachable from the partner IPsec node. In this case, use '10.100.10.1' for ipsec_1 and '10.100.20.1' for ipsec_2. 'Remote IP' is a dummy IP - it is not necessary to assign it to any interface.  

 

SpokeB (root) # show system interface ipsec_1


config system interface
    edit "ipsec_1"
        set vdom "root"
        set ip 10.100.10.1 255.255.255.255  
        set allowaccess ping https ssh snmp http fgfm
        set type tunnel
        set remote-ip 10.100.10.2 255.255.255.252  
        set snmp-index 22
        set interface "port7"
    next
end

 

SpokeB (root) # show system interface ipsec_2


config system interface
    edit "ipsec_2"
        set vdom "root"
        set ip 10.100.20.1 255.255.255.255
        set allowaccess ping https ssh snmp http fgfm
        set type tunnel
        set remote-ip 10.100.20.2 255.255.255.252
        set snmp-index 23
        set interface "port9"
    next
end

 

To check the IP address used for performance SLA:

 

SpokeB (root) # get router info kernel 17
tab=254 vf=0 scope=0 type=1 proto=17 prio=0 10.100.20.1/255.255.255.255/0->1.1.1.1/32 pref=0.0.0.0 gwy=10.100.20.2 dev=23(ipsec_2)
tab=254 vf=0 scope=0 type=1 proto=17 prio=0 10.100.10.1/255.255.255.255/0->1.1.1.1/32 pref=0.0.0.0 gwy=10.100.10.2 dev=22(ipsec_1)

 

  1. Set source IP address used by health-check. In this case, use 192.168.100.1 -> IP address of FortiGate LAN interface. This IP should be reachable from the partner IPsec node.  

 

SpokeB (members) # show


config members
    edit 1
        set interface "ipsec_1"
        set source 192.168.100.1
    next
    edit 2
        set interface "ipsec_2"
        set source 192.168.100.1
    next
end

 

The source IP can also be set on the health check directly (Starting with v7.2.0):

 

config system sdwan

config health-check
    edit <name>
        set source 192.168.100.1
    next

 

To check the IP address used for performance SLA:

 

SpokeB (root) # get router info kernel 17
tab=254 vf=0 scope=0 type=1 proto=17 prio=0 192.168.100.1/255.255.255.255/0->1.1.1.1/32 pref=0.0.0.0 gwy=0.0.0.0 dev=22(ipsec_1)
tab=254 vf=0 scope=0 type=1 proto=17 prio=0 192.168.100.1/255.255.255.255/0->1.1.1.1/32 pref=0.0.0.0 gwy=0.0.0.0 dev=23(ipsec_2)

 

Now, health-check detects the status of the interfaces correctly:

 

SpokeB (root) # diagnose sys sdwan health-check
Health Check(ipsec_check):
Seq(1 ipsec_1): state(alive), packet-loss(0.000%) latency(2.696), jitter(0.116) sla_map=0x0
Seq(2 ipsec_2): state(alive), packet-loss(0.000%) latency(2.793), jitter(0.393) sla_map=0x0 

 

Related articles:

Technical Tip: Configure IPsec VPN with SD-WAN

Technical Tip: Use of 'link-monitor' to detect IPsec ESP (IPsec payload) being blocked

Technical Tip: SD-WAN enhanced health check options
5564
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.