I have two ISPs, each one has two links feeding a pair of Fortigate 401 firewalls currenty set up in active-active HA.
I've configured the SD-WAN and I believe it's working OK.
Here is what I have in my SD-WAN:
However, it appears that if I lose one connection from ISP, then the other connection from the same ISP is no longer used as all traffic goes to the other ISP.
So a few questions:
Thanks.
That should work fine. How do you have SDWAN setup? Ideally you can load balance between the two members as per https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-bond-2-ISP-with-SD-WAN-and-load-bal...
Hi @johnathan , thanks.
I guess my question is more "what marks the interface as down?". Is it the performance SLA? Because on WAN2, one of the links is up, but the other is down. And I suppose because it's marked as down, it's not used at all.
And here's the rule:
Oh! That actually is showing the interface itself as down, i.e. there is no cable plugged in... Maybe check the cable or connection between port2 and the switch?
Yes, we have an intermittent connection issue on one of the links.
My question is: "can the remaining link not be used at all"?
I don't see the benefit of having dual links from an ISP if the working one is not used when the other goes down.
SD-WAN on its own does not "care" if e.g. ISP-A is down on the primary but up on the secondary. The primary will do SD-WAN with whatever is up and available as long as it stays in its primary role.
If you want to use ISP-A via the secondary, where it's up and alive, you need HA failover.
For HA to failover when a link goes down, you need to tell HA to monitor those interfaces.
For full blackout (phys down; e.g. cable disconnected):
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/556201/whats-new
(config system ha > set monitor <intf> <intf> ...)
For "brown-out" (link physically up, but not passing traffic):
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/252877/remote-link-failover
(link-monitor + pingserver settings)
OK, I spotted a misconfiguraiton - none of the WAN links were part of the performance SLA which didn't help.
It is now working and both links are being used on the Fortinet that has them. But they are only being used if the Fortinet that has them is the currently primary unit.
I must have misunderstood something here because despite having them configured in active-active, an interface that is up on the secondary isn't used at all even if it is down on the primary node. So what if both links go down on the primary, will it not switch to the other unit?
HA doesn't work this way, even in A-A. SD-WAN has no awareness that the link is functional on the secondary. You'll need to set up HA failover when links are dead, as I noted in my other reply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.