Fortigate 60D - issue with Wan2

Jerax81 · ‎05-17-2022

Dear all,

this my first post! I appreciate your help :)

I never used a fortigate, this is my first experience.

I configured a Fortigate 60D (firmware 5.2.1) with two interface Wan and i created a WAN link load balancing set "Weighted Round Robin 50/50"

The problem is pretty simple: The Interface wan2 doesn't work in any way.

I disabled interface Wan1, and i'm able with interface WAN 2 to ping the Router via Cli but i'm not able to ping 8.8.8.8

Connected with my laptop directly to the router interface with the same Fortigate's IP address i'm able to surf in internet.

I am not authorized to access the router configuration because they are owned by our ISP.

So 'm not sure where the problem is.

Below some screenshots of my configuration:

anyone can help me?

Jerax81 · ‎05-17-2022

Hello All,

I have done several tests and it seems that the problem is only with the WAN2. The same connection configured on WAN1 works, on WAN2 it doesn't.

It would appear that WAN2 is disabled in some way.
I have already made a hard reset of the device and it does not solve the problem.

Any idea?

Debbie_FTNT · ‎05-17-2022

Hey Jerax,

what does your routing look like?

Just because load-balancing is configured doesn't mean FGT will automatically use both links (equally or at all).

I would start with this:
#get router info routing-table all

-> that should provide some info as to what your routing looks like and the default route looks like

-> if you only see wan1, then FGT doesn't have a default route via wan2 and won't use it

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

seshuganesh · ‎05-17-2022

Hi Team,

I will suggest you to take packet capture at next hop to isolate the issue.

If the request is reaching the router then it could be isp issue.

Also, share us the output of these commands:

diag hardware deviceinfo nic wan2

get sys performance status

Jerax81 · ‎05-18-2022

Thanks everyone for the reply.

So I'm sure the problem is not ISP side because I tried to configure the WAN1 with the parameters of the WAN2 and it worked without problems and I also tried to configure the interface WAN2 with the parameters of the WAN1, and as I assumed the Wan2 doesn't work.

and before you ask me I removed the Load balance and tried to configure the interfaces individually, from the WAN2 I can not surf the Internet with any configuration. In wan1, same configuration everything works.

"Just because load balancing is configured doesn't mean FGT will automatically use both links (equally or at all)."
I understand this point, but if I put the WAN1 interface in "administrative sleep mode", the interface 2 has to start working, otherwise I think there is no point in doing a load balancing.

sw2090 · ‎05-18-2022

hm did you configure some health check for your loadbalancer? It needs that to detect a non functional internet connection and remove its route.

without the wan goes down but the route stays so 50% packets still go to it...

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Jerax81 · ‎05-18-2022

Hello!

yes i did! Healt check configurated like this:

Probe type: Ping

Server: 8.8.8.8

Interval 5

Failure 5

recovery 5

sw2090 · ‎05-18-2022

did you enable the "Update static route" option in there?

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Jerax81 · ‎05-18-2022

Hum...hum...i do not see this option!

where is it?

sw2090 · ‎05-18-2022

on a 100F with FortiOS 6.4.9 I see it in Network->Performance SLA

when I edit a healthcheck in there i see this option at the very bottom.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams