| Description | This article describes how to use link-monitor debugging to troubleshoot HTTP-based link-monitor issues. |
| Scope | FortiOS, FortiGate. |
| Solution |
The following link-monitor configuration will be used for this article:
config health-check edit "HTTP_Server1" set server "192.168.100.101" next end
The FortiGate will attempt to reach the configured server through HTTP instead of using the standard ICMP echo requests.
When looking at the health check's status, the following is displayed:
Fortigate # diagnose sys sdwan health-check status HTTP_Server1
FortiGate reports a 100% packet loss for the configured members, meaning those links cannot be used to forward traffic from SD-WAN's perspective.
When attempting to ping 192.168.100.101, the ping fails:
Fortigate # execute ping 192.168.100.101
However, this does not necessarily mean the circuit is down, as ICMP may be filtered by the receiving server. When running a sniffer for HTTP requests, it proves that the server is actually replying to them:
Fortigate # diagnose sniffer packet any 'host 192.168.100.101 and port 80' 4 0 a
To troubleshoot this further, debugging the link-monitor's daemon (lnkmtd) can give greater details. The following commands can be used for that:
diagnose debug application link-monitor -1
To stop the debug, use the commands below:
diagnose debug disable diagnose debug reset
The debug shows the following:
Fortigate # Inkmtd::http_send_request(551): ---> HTTP monitor HTTP_Server1-3-VIRTUAL_WAN_LINK-3 checking 192.168.100.101:80 ...
-
-
The server's response fails to satisfy the set parameters, since the HTTP-Match method is being used in this scenario, which could mean that the expected string 'fortinet' is not included in the server's response.
To verify this, the server's response should be checked. There are several ways to do this, including packet captures or running curl to the server from a host. The following is an example pertinent to this scenario:
root@server:~# curl 192.168.100.101
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Apache2 Debian Default Page: It works</title>
</head>
<body>
<div class="main_page">
<div class="page_header floating_element">
<img src="/icons/openlogo-75.png" alt="Debian Logo" class="floating_element"/>
<span class="floating_element">
Welcome to the SD-WAN World!
</span>
</div>
</div>
</body>
</html>
The 'fortinet' string is nowhere to be found. To fix this from the FortiGate, the configuration can be adjusted for the FortiGate to expect a string included in the server response:
Fortigate # config system sdwan
Fortigate (sdwan) # config health-check Fortigate (health-check) # edit HTTP_Server1 Fortigate (HTTP_Server1) # set http-match 'SD-WAN' Fortigate (HTTP_Server1) # end Fortigate (sdwan) # end After this change, SD-WAN members are up, and traffic is being forwarded to them normally:
 Related document:
|
