I have installed 5.4GA on a test 60D unit, all is kind of okay, i have turned on Advanced Routing under features.. i see no place though where i can configure ECMP (inc. health monitor)? does anyone know where this feature has gone?! it used to be under settings in Static routing on 5.2... but is missing on 5.4 even when Advanced routing is turned off..
Solved! Go to Solution.
Create a zone called OUTSIDE....throw both of your WAN ports in it.
Have default routes for each link (with the backup link having higher AD / Priority)
Configure link monitoring (config system link-monitor) and set a link fail monitor for each interface.
When WAN1 (or whatever your preferred WAN is) fails the check (can't ping google or whatever server you put in there) enough to cross the threshold the link monitor will yank the static route and use the backup link.
I deploy this for all of my multi circuit clients that want the secondary circuit (usually slower) for failover only.
Mike Pruett
According to the advance static routing examples the 5.4 FortiOS Handbook still has it listed under Router>static>settings. But from the What's new section, it kinda looks like it's under WAN link Load balancing.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
i saw that and thought the same, however there is no where to assign it to an interface like the old way (to WAN1 or WAN2) so cant see how it works to remove a route from routing table if a ping health check fails... seems like you can set it up by CLI (using online manual info where you saw the old instructions) but the GUI is gone..
anyone confirm? its specifically ECMP.. not any type of WAN load balancing..
sorry me again.. basically after an active-standby internet link (using WAN1 and WAN2) which ECMP does..
i know what youre asking for and i'm seeing the same "issue" as well. i feel like they simply forgot to include the routing > settings section in the new UI. my guess is that will be added at some point back in since not everyone wants to use active active virtual wan for various reasons.
yes exactly. i have opened a ticket with fortinet.. in meantime i have done it using CLI
rkhair wrote:yes exactly. i have opened a ticket with fortinet.. in meantime i have done it using CLI
I tried in CLI and made sure same config is available between 5.2.5 and 5.4, still i cant get it to work. Its just not case of the feature not being present in GUI of 5.4, it looks like they have not included this feature in release 5.4.
yeah, they did a final reply with following, they refused to say it needs to be there anyway and to use WAN load balancing..
""Hi, Thank you for the update. If you want to have wan1 as a primary interface and wan2 as a backup you can create a load balance interface and change the priority of the wan2 interface. For example: config system virtual-wan-link set status enable config members edit 1 set interface "wan1" set gateway x.x.x.x next edit 2 set interface "wan2" set gateway x.x.x.x set priority 100 next end config health-check edit "google" set server "8.8.8.8" next end config service edit "all" set mode priority set dst "all" set src "all" set health-check "google" set priority-members 1 2 next end end You would also need to create a route pointing to the wan-load-balance interface and a policy to allow the traffic to the wan-load-balance interface. This should make your wan1 the preferred interface and wan2 the backup and will show under WAN LLB in the gui. I understand that before the ECMP was configured in a different manner, but as I mention previously, the menu has not been implemented in 5.4. Is this configuration viable in your network? Kind regards, Thiago Takayama Fortinet NSE Fortinet TAC""
Hello, I have the same problem, I am trying to use wan2 only as failover interface by setting higher priority to it. I have configured WAN LLB, however the strange thing is that even though the priority on wan2 is higher, still most of the traffic is routed through it. I have tried all the load-balancing algorithms but the result is the same. What could be the issue?
P.S: Found it: in my WAN LLB Rules, the ping rule that I had set was having as criteria latency. Since my second line is a fiber optic (but with lower bandwidth) it always had lower latency, thus it was considered to be the "best" line to route through. Once I changed the criteria to packet loss, everything works as intended :)
Create a zone called OUTSIDE....throw both of your WAN ports in it.
Have default routes for each link (with the backup link having higher AD / Priority)
Configure link monitoring (config system link-monitor) and set a link fail monitor for each interface.
When WAN1 (or whatever your preferred WAN is) fails the check (can't ping google or whatever server you put in there) enough to cross the threshold the link monitor will yank the static route and use the backup link.
I deploy this for all of my multi circuit clients that want the secondary circuit (usually slower) for failover only.
Mike Pruett
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.