Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Xavier_BS
New Contributor

Dual WAN in HA and failover

I have two ISPs, each one has two links feeding a pair of Fortigate 401 firewalls currenty set up in active-active HA.

I've configured the SD-WAN and I believe it's working OK.

 
 

firewall-isp.png

 

 

 

 

 

 

 

 

 

 

 

 

 

Here is what I have in my SD-WAN:

fortigate.png

However, it appears that if I lose one connection from ISP, then the other connection from the same ISP is no longer used as all traffic goes to the other ISP.

So a few questions:

  • Is this normal ?
  • Can I have it set up so that if one port is dropped, the other port is still used?

Thanks.

7 REPLIES 7
johnathan
Staff
Staff

That should work fine. How do you have SDWAN setup? Ideally you can load balance between the two members as per https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-bond-2-ISP-with-SD-WAN-and-load-bal...

"Never trust a computer you can't throw out a window."
Xavier_BS

Hi @johnathan , thanks.

I guess my question is more "what marks the interface as down?". Is it the performance SLA? Because on WAN2, one of the links is up, but the other is down. And I suppose because it's marked as down, it's not used at all.

sdwan-zones.png

And here's the rule:

sdwan-rule.png

 

johnathan

Oh! That actually is showing the interface itself as down, i.e. there is no cable plugged in... Maybe check the cable or connection between port2 and the switch? 

"Never trust a computer you can't throw out a window."
Xavier_BS

Yes, we have an intermittent connection issue on one of the links.

My question is: "can the remaining link not be used at all"?

I don't see the benefit of having dual links from an ISP if the working one is not used when the other goes down.

pminarik
Staff
Staff

SD-WAN on its own does not "care" if e.g. ISP-A is down on the primary but up on the secondary. The primary will do SD-WAN with whatever is up and available as long as it stays in its primary role.

 

If you want to use ISP-A via the secondary, where it's up and alive, you need HA failover.

 

For HA to failover when a link goes down, you need to tell HA to monitor those interfaces.

For full blackout (phys down; e.g. cable disconnected):

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/556201/whats-new

(config system ha > set monitor <intf> <intf> ...)

 

For "brown-out" (link physically up, but not passing traffic):

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/252877/remote-link-failover

(link-monitor + pingserver settings)

[ corrections always welcome ]
Xavier_BS
New Contributor

OK, I spotted a misconfiguraiton - none of the WAN links were part of the performance SLA which didn't help.

It is now working and both links are being used on the Fortinet that has them. But they are only being used if the Fortinet that has them is the currently primary unit.

I must have misunderstood something here because despite having them configured in active-active, an interface that is up on the secondary isn't used at all even if it is down on the primary node. So what if both links go down on the primary, will it not switch to the other unit?

pminarik

HA doesn't work this way, even in A-A. SD-WAN has no awareness that the link is functional on the secondary. You'll need to set up HA failover when links are dead, as I noted in my other reply.

[ corrections always welcome ]
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors