Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mtse
Staff
Staff

Created on ‎07-29-2021 11:16 PM Edited on ‎09-24-2025 11:36 PM By Community Manager

Article Id 191632

Technical Tip: Use of 'link-monitor' to detect IPsec ESP (IPsec payload) being blocked

Description


This article describes a scenario where Spoke has primary and backup IPsec tunnels to the Hub. Normally IPsec DPD can detect path connectivity and trigger failover to the backup IPsec tunnel.

But since DPD use ISAKMP packet which is on UDP port 500.
If ESP (IP protocol port 50) is somehow blocked along the path, it cannot be detected. 
In such case, 'link-monitor' can be configured to regularly ping a client IP behind the remote tunnel and detect data path (ESP, IP protocol port 50) connectivity issue.

 
Scope
 
FortiGate.


Solution


Spoke FGT B.

Configure a loopback interface to be used as source IP for the ping in 'link-monitor'. The source IP can be any IP in the FortiGate . This is just an example.
A loopback IP has the benefit that it will not go down like a physical port.

 

config system interface
    edit "Test_Loopback1"
        set vdom "root"
        set ip 9.9.9.1 255.255.255.255
        set allowaccess ping
        set type loopback
next

 

Configure IPsec Phase2 of the primary tunnel to advertise the source IP 9.9.9.1 to Hub in its Phase 2 SA.

 

config vpn ipsec phase2-interface
    edit "To_hub_Loopback"
        set phase1name "To_hub1"
        set proposal des-sha1
        set auto-negotiate enable
        set src-subnet 9.9.9.1 255.255.255.255
    next

 

Configure 'link-monitor' to ping a remote client side IP behind the IPsec tunnel using the loopback IP above as source.

 

config system link-monitor
    edit "test-IPsec-path"
        set srcintf "To_hub1"     <----- Phase1 name of the tunnel to be monitored.
        set server "20.20.20.102" <----- Some-ip-on-the-other-side-of-the-tunnel.
        set source-ip 9.9.9.1     <----- Some-local-ip-as source.
    next
end

 

In the backup tunnel (e.g. 'To_hub2' in example below), 'monitor hold down' should be configured to prevent the backup from switching back to the primary immediately. 'hold-down-delay' should be configured (e.g. 20 seconds in example below) to wait until 'link-monitor' has verified the path is good before switching back to the primary.

 

config vpn ipsec phase1-interface
    edit "To_hub1"
        set interface "wan1"
        set mode aggressive
        set peertype any
        set net-device enable
        set proposal des-sha1
        set localid "spoketest1"
        set dpd on-idle
        set dhgrp 2
        set remote-gw 10.21.21.21
        set psksecret ENC xxxxx
    next
    edit "To_hub2"
        set interface "wan2"
        set mode aggressive
        set peertype any
        set monitor-hold-down-type delay   
        set monitor-hold-down-delay 20
        set net-device enable
        set proposal des-sha1
        set localid "spoketest1"
        set dpd on-idle
        set dhgrp 2
        set remote-gw 10.21.21.21
        set monitor "To_Hub2"
        set psksecret ENC xxxx
next

 

When 'link-monitor' detects the path is down, logging will show such event.



 
 
Command '# diagnose sys link-monitor status' can be used to check status of 'link-monitor'.
 
FGTB # diagnose sys link-monitor status
Link Monitor: test-IPsec-path, Status: alive, Server num(1), Flags=0x1 init, Create time: Thu Jul 29 16:23:39 2021
Source interface: To_Hub1 (18)
Source IP: 9.9.9.1
Interval: 500 ms   
  Peer: 20.20.20.102(20.20.20.102)
        Source IP(9.9.9.1)
        Route: 9.9.9.1->20.20.20.102/32, gwy(0.0.0.0)
        protocol: ping, state: alive
        Latency(Min/Max/Avg): 0.678/1.762/0.791 ms
        Jitter(Min/Max/Avg): 0.003/0.319/0.103
        Packet lost: 24.000%
        Number of out-of-sequence packets: 1846
                  Fail Times(0/5)
                  Packet sent: 135276, received: 5964, Sequence(sent/rcvd/exp): 4205/4205/17445

FGTB # diagnose sys link-monitor status

Link Monitor: test-IPsec-path, Status: die, Server num(1), Flags=0x9 init, Create time: Thu Jul 29 16:23:39 2021
Source interface: To_Hub1 (18)
Source IP: 9.9.9.1
Interval: 500 ms
  Peer: 20.20.20.102(20.20.20.102)
        Source IP(9.9.9.1)
        Route: 9.9.9.1->20.20.20.102/32, gwy(0.0.0.0)
        protocol: ping, state: die
        Packet lost: 100.000%
        Number of out-of-sequence packets: 3459
                  Recovery times(0/5) Fail Times(4/5)
                  Packet sent: 139444, received: 7577, Sequence(sent/rcvd/exp): 8373/5818/17445

 

Related documents:

Technical Tip: Link monitor
FortiGate IPsec Phase‑1 Interface Configuration via CLI
FortiGate System Link Monitor Configuration via CLI

Labels:
17134
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.