Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rkhair
New Contributor

FortiOS 5.4 and ECMP settings?

I have installed 5.4GA on a test 60D unit, all is kind of okay, i have turned on Advanced Routing under features.. i see no place though where i can configure ECMP (inc. health monitor)? does anyone know where this feature has gone?! it used to be under settings in Static routing on 5.2... but is missing on 5.4 even when Advanced routing is turned off..

1 Solution
MikePruett
Valued Contributor

Create a zone called OUTSIDE....throw both of your WAN ports in it.

 

Have default routes for each link (with the backup link having higher AD / Priority)

 

Configure link monitoring (config system link-monitor) and set a link fail monitor for each interface.

 

When WAN1 (or whatever your preferred WAN is) fails the check (can't ping google or whatever server you put in there) enough to cross the threshold the link monitor will yank the static route and use the backup link.

 

I deploy this for all of my multi circuit clients that want the secondary circuit (usually slower) for failover only.

View solution in original post

Mike Pruett Fortinet GURU | Fortinet Training Videos
10 REPLIES 10
Dave_Hall
Honored Contributor

According to the advance static routing examples the 5.4 FortiOS Handbook still has it listed under Router>static>settings.  But from the What's new section, it kinda looks like it's under WAN link Load balancing.

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
rkhair

i saw that and thought the same, however there is no where to assign it to an interface like the old way (to WAN1 or WAN2) so cant see how it works to remove a route from routing table if a ping health check fails... seems like you can set it up by CLI (using online manual info where you saw the old instructions) but the GUI is gone..

 

anyone confirm? its specifically ECMP.. not any type of WAN load balancing..

rkhair

sorry me again.. basically after an active-standby internet link (using WAN1 and WAN2) which ECMP does..

dk10
New Contributor

i know what youre asking for and i'm seeing the same "issue" as well. i feel like they simply forgot to include the routing > settings section in the new UI. my guess is that will be added at some point back in since not everyone wants to use active active virtual wan for various reasons.

rkhair
New Contributor

yes exactly. i have opened a ticket with fortinet.. in meantime i have done it using CLI

Pranav
New Contributor

rkhair wrote:

yes exactly. i have opened a ticket with fortinet.. in meantime i have done it using CLI

I tried in CLI and made sure same config is available between 5.2.5 and 5.4, still i cant get it to work. Its just not case of the feature not being present in GUI of 5.4, it looks like they have not included this feature in release 5.4.

rkhair
New Contributor

yeah, they did a final reply with following, they refused to say it needs to be there anyway and to use WAN load balancing..

 

""Hi,  Thank you for the update.  If you want to have wan1 as a primary interface and wan2 as a backup you can create a load balance interface and change the priority of the wan2 interface.  For example:  config system virtual-wan-link  set status enable  config members  edit 1  set interface "wan1"  set gateway x.x.x.x  next  edit 2  set interface "wan2"  set gateway x.x.x.x  set priority 100  next  end  config health-check  edit "google"  set server "8.8.8.8"  next  end  config service  edit "all"  set mode priority  set dst "all"  set src "all"  set health-check "google"  set priority-members 1 2  next  end  end  You would also need to create a route pointing to the wan-load-balance interface and a policy to allow the traffic to the wan-load-balance interface.  This should make your wan1 the preferred interface and wan2 the backup and will show under WAN LLB in the gui.  I understand that before the ECMP was configured in a different manner, but as I mention previously, the menu has not been implemented in 5.4.  Is this configuration viable in your network?  Kind regards,  Thiago Takayama  Fortinet NSE  Fortinet TAC""

tsakou
New Contributor

Hello, I have the same problem, I am trying to use wan2 only as failover interface by setting higher priority to it. I have configured WAN LLB, however the strange thing is that even though the priority on wan2 is higher, still most of the traffic is routed through it. I have tried all the load-balancing algorithms but the result is the same. What could be the issue?

 

P.S: Found it: in my WAN LLB Rules, the ping rule that I had set was having as criteria latency. Since my second line is a fiber optic (but with lower bandwidth) it always had lower latency, thus it was considered to be the "best" line to route through. Once I changed the criteria to packet loss, everything works as intended :)

MikePruett
Valued Contributor

Create a zone called OUTSIDE....throw both of your WAN ports in it.

 

Have default routes for each link (with the backup link having higher AD / Priority)

 

Configure link monitoring (config system link-monitor) and set a link fail monitor for each interface.

 

When WAN1 (or whatever your preferred WAN is) fails the check (can't ping google or whatever server you put in there) enough to cross the threshold the link monitor will yank the static route and use the backup link.

 

I deploy this for all of my multi circuit clients that want the secondary circuit (usually slower) for failover only.

Mike Pruett Fortinet GURU | Fortinet Training Videos
Top Kudoed Authors