Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Xavier_BS
New Contributor

Created on ‎11-04-2024 04:17 AM Edited on ‎11-04-2024 04:24 AM

Dual WAN in HA and failover

I have two ISPs, each one has two links feeding a pair of Fortigate 401 firewalls currenty set up in active-active HA.

I've configured the SD-WAN and I believe it's working OK.

 
 

firewall-isp.png

 

 

 

 

 

 

 

 

 

 

 

 

 

Here is what I have in my SD-WAN:

fortigate.png

However, it appears that if I lose one connection from ISP, then the other connection from the same ISP is no longer used as all traffic goes to the other ISP.

So a few questions:

  • Is this normal ?
  • Can I have it set up so that if one port is dropped, the other port is still used?

Thanks.

Labels:
400
0 Kudos
7 REPLIES 7
johnathan
Staff
Staff

Created on ‎11-04-2024 09:16 AM

That should work fine. How do you have SDWAN setup? Ideally you can load balance between the two members as per https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-bond-2-ISP-with-SD-WAN-and-load-bal...

"Never trust a computer you can't throw out a window."
355
0 Kudos
Xavier_BS
New Contributor
In response to johnathan

Created on ‎11-04-2024 09:41 AM

Hi @johnathan , thanks.

I guess my question is more "what marks the interface as down?". Is it the performance SLA? Because on WAN2, one of the links is up, but the other is down. And I suppose because it's marked as down, it's not used at all.

sdwan-zones.png

And here's the rule:

sdwan-rule.png

 

351
0 Kudos
johnathan
Staff
Staff
In response to Xavier_BS

Created on ‎11-04-2024 10:29 AM

Oh! That actually is showing the interface itself as down, i.e. there is no cable plugged in... Maybe check the cable or connection between port2 and the switch? 

"Never trust a computer you can't throw out a window."
343
0 Kudos
Xavier_BS
New Contributor
In response to johnathan

Created on ‎11-11-2024 12:50 AM

Yes, we have an intermittent connection issue on one of the links.

My question is: "can the remaining link not be used at all"?

I don't see the benefit of having dual links from an ISP if the working one is not used when the other goes down.

236
0 Kudos
pminarik
Staff
Staff

Created on ‎11-11-2024 03:41 AM Edited on ‎11-11-2024 03:43 AM

SD-WAN on its own does not "care" if e.g. ISP-A is down on the primary but up on the secondary. The primary will do SD-WAN with whatever is up and available as long as it stays in its primary role.

 

If you want to use ISP-A via the secondary, where it's up and alive, you need HA failover.

 

For HA to failover when a link goes down, you need to tell HA to monitor those interfaces.

For full blackout (phys down; e.g. cable disconnected):

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/556201/whats-new

(config system ha > set monitor <intf> <intf> ...)

 

For "brown-out" (link physically up, but not passing traffic):

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/252877/remote-link-failover

(link-monitor + pingserver settings)

[ corrections always welcome ]
214
0 Kudos
Xavier_BS
New Contributor

Created on ‎11-11-2024 06:28 AM Edited on ‎11-11-2024 06:29 AM

OK, I spotted a misconfiguraiton - none of the WAN links were part of the performance SLA which didn't help.

It is now working and both links are being used on the Fortinet that has them. But they are only being used if the Fortinet that has them is the currently primary unit.

I must have misunderstood something here because despite having them configured in active-active, an interface that is up on the secondary isn't used at all even if it is down on the primary node. So what if both links go down on the primary, will it not switch to the other unit?

198
0 Kudos
pminarik
Staff
Staff
In response to Xavier_BS

Created on ‎11-11-2024 07:10 AM

HA doesn't work this way, even in A-A. SD-WAN has no awareness that the link is functional on the secondary. You'll need to set up HA failover when links are dead, as I noted in my other reply.

[ corrections always welcome ]
192
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.