|
In this example, port1 will be used to show the issue.
The status of an interface can be checked with the following command (part of the output is omitted for better readability):
FortiGate # get hardware nic port1
Name: port1
Driver: virtio_net
Version: 1.0.0
Bus: 0000:00:06.0
HWaddr: 00:65:72:62:56:01
Permanent Hwaddr:00:65:72:62:56:01
State: down
Link: down
Mtu: 1500
[...]
However, the interface is enabled, which can be checked both in the GUI in 'Network -> Interfaces' or in the CLI with the following command:
FortiGate # show full system interface port1 | grep status
set status up
As shown in the previous output, port1 is configured as administratively up, but it is shown as administratively down.
The following command can be used to check in which part of the configuration port1 is used (part of the output is omitted):
FortiGate # show | grep port1 -f
config system interface
edit "port1" <-----
set vdom "root"
set ip 10.116.18.46 255.255.192.0
set allowaccess ping https ssh http telnet fgfm
set type physical
set snmp-index 1
next
end
[...]
config system sdwan
set status enable
set fail-detect enable
set fail-alert-interfaces "port1" <-----
config zone
edit "virtual-wan-link"
next
end
end
[...]
In the output above, note once more that the interface is configured as administratively up (there is no 'set status disable' in the interface configuration, so the default option 'enable' is used).
Furthermore, it can be noticed that port1 is configured as a fail alert interface in SD-WAN, and that fail-detect is enabled.
With this configuration (fail-detect/fail-alert-interface on port1), if all SD-WAN members fail to meet the SLA, port1 will be administratively shut down.
Note: port1 is not an SD-WAN interface - it is only an internal interface. Check SD-WAN members with the following command:
FortiGate # config system sdwan
FortiGate (sdwan) # show members
config members
edit 1
set interface "port9"
set gateway 10.5.147.165
next
edit 2
set interface "port8"
set gateway 10.5.211.165
next
end
The SD-WAN SLA can be checked in the GUI under 'Network -> SD-WAN -> Performance SLAs' or on the CLI with the following command:
FortiGate # diagnose sys sdwan health-check
Health Check(PING_8.8.8.8):
Seq(2 port8): state(dead), packet-loss(100.000%) sla_map=0x0
Seq(1 port9): state(dead), packet-loss(100.000%) sla_map=0x0
As shown in the output, the Performance SLA is failing and all members are considered dead due to the high packet loss.
This is the reason port1 was shutdown.
In this case, if no configuration change occurred, the issue would probably lie on the ISP or on the upstream network.
Once the issue is resolved and at least one of the SD-WAN member is recovered, port1 will be automatically enabled again as shown below (part of the output omitted):
FortiGate # diagnose sys sdwan health-check
Health Check(PING_8.8.8.8):
Seq(2 port8): state(alive), packet-loss(0.000%) latency(3.296), jitter(0.192), mos(4.403), bandwidth-up(9999978), bandwidth-dw(9999832), bandwidth-bi(19999810) sla_map=0x0
Seq(1 port9): state(dead), packet-loss(100.000%) sla_map=0x0
FortiGate # get hardware nic port1
Name: port1
Driver: virtio_net
Version: 1.0.0
Bus: 0000:00:06.0
HWaddr: 00:65:72:62:56:01
Permanent Hwaddr:00:65:72:62:56:01
State: up
Link: up
Mtu: 1500
[...]
|
