Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mda
New Contributor

Fortigate Redundant IPSEC Slow Failover Time

Hello All,

 

I am currently trying to configure redundant IPSEC Tunnels between 2 Fortigate Units (a 60E and a 50E), with each site having 2 ISPs each.

 

While I have successfully configured the redundant tunnels, the times between failovers are very long.

 

If I'm running a ping from one end to the other and I disable the primary interface on one Fortigate unit, it will take about 90 seconds (15-16 timed out requests) before the Fortigates decide to use the secondary/tertiary routes. Reverting to the primary tunnel when the primary interfaces are up however are all very fast -- only about 5 seconds or 1 timed out request long.

 

Is there anything I can configure via the command line or something to speed up the failover process?

 

I have followed the following guides without success:

http://docs.fortinet.com/uploaded/files/1693/using-redundant-OSPF-routing-over-IPsec-VPN.pdf

http://kb.fortinet.com/kb...f&documentID=10684

 

 

Thank you very much!

 

Edit: I have tried this with 5.4.3 and 5.4.4 with similar results.

Fortigate 60E (5.4.4)

Fortigate 50E (5.4.4)

Fortigate 60E (5.4.4) Fortigate 50E (5.4.4)
6 REPLIES 6
neonbit
Valued Contributor

Hi mda, I've seen this happen due to the default DPD timers in 5.4 being so high. The default timers when you create a interface based VPN are as follow:

 

dpd-retrycount : 3

dpd-retryinterval : 20

 

So the FGT will send a DPD packet every 20 seconds, and if three fail it will failover (so 60 seconds in total).

 

I'd recommend changing these timers to something more suitable for your environment. The CLI commands below will cause it to fail-over after 9 seconds:

 

config vpn ipsec phase1-interface

edit <vpn name>

set dpd-retrycount 3

set dpd-retryinterval 3

end

 

mda
New Contributor

Hi neonbit.

 

Thanks for this info. Will try tomorrow.

 

In my limited experience & understanding, this seems to be the answer I am looking for.

 

Will update this thread again. Many thanks for your help! :)

Fortigate 60E (5.4.4)

Fortigate 50E (5.4.4)

Fortigate 60E (5.4.4) Fortigate 50E (5.4.4)
MikePruett
Valued Contributor

Be careful not to set it TOO short though

Mike Pruett Fortinet GURU | Fortinet Training Videos
mda
New Contributor

Thanks. What would you have any recommended values for these two variables?

 

If it would help in your recommendation, the internet can be a little spotty in my country, which is why I am doing this to begin with.

Fortigate 60E (5.4.4)

Fortigate 50E (5.4.4)

Fortigate 60E (5.4.4) Fortigate 50E (5.4.4)
mda
New Contributor

Thank you, Mike and neonbit.

 

This indeed has changed the failover time.

 

Will experiment to see which variables will suit us the most.

 

Thanks again!

Fortigate 60E (5.4.4)

Fortigate 50E (5.4.4)

Fortigate 60E (5.4.4) Fortigate 50E (5.4.4)
MikePruett
Valued Contributor

Good deal MDA. Yeah, too short and you end up having interfaces flap at the first sign of brief intermittent connectivity.

Mike Pruett Fortinet GURU | Fortinet Training Videos
Labels
Top Kudoed Authors