FortiGate61E or F needs to be rebooted to restore its connection to WAN1
We are having to periodically reboot our FortiGates to restore its connection to WAN1 after it has failed-over to WAN2. The service to the ISP modem that is connected to WAN1 appears to drop momentarily and restores on its own or restores after the ISP modem is rebooted but the FortiGate will not reconnect to WAN1 unless the FortiGate is rebooted.
FortiIOS Firmware v6.4.5
WAN1 and WAN2 are configured for DHCP
The following is the SLA and WAN-Failover we currently use in our configuration:
config health-check edit "Internet SLA" set server "184.108.40.206" "220.127.116.11" set interval 1000 set failtime 60 set recoverytime 180 set members 0 config sla edit 1 set latency-threshold 500 set jitter-threshold 500 set packetloss-threshold 10 next end next end config service edit 1
set name "WAN-Failover" set mode sla set dst "all" set src "Local Store" config sla edit "Internet SLA" set id 1 next end set priority-members 1 2
As per the configuration of the SDWAN rule, the member that meets SLA targets is selected. When there is a tie, the member with the lowest assigned cost is selected.
So in the member configuration have you defined the cost? also, how you are doing the test?
Because by default when there's a routing change, established sessions with SNAT keep using the same outbound interface, as long as the old route is still active or they expire (even though the route is no longer the best)
If you do check what is my IP in the private window of the browser when the WAN1 is back up, which IP it shows can you confirm this?
You can enable SNAT route change it will help in fast failover because When 'seat-route-change' is enabled, after a routing change, routing information is flushed from existing SNAT sessions. So, the existing SNAT sessions can use the new best route.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.