Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
VDOM001
New Contributor

Created on ‎04-25-2025 06:12 PM Edited on ‎04-27-2025 11:43 PM

Frequent HA switching after setting link-monitor

We have been using link-monitor to monitor ping to GW, but after setting up link-monitor, HA switchover due to link monitor failure occurred frequently during periods of high traffic spikes.
When we checked the ping statistics of link-monitor, we found a temporary maximum latency of 475 ms, which is a very bad value. No switching occurred at that time.
The reason for the frequent occurrences is that the line became unstable due to user traffic.
Is it safe to assume that the ICMP packets in the link monitor are likely to have been affected by the unstable state of the line due to user traffic?
If so, can this be resolved by changing the timer value of the link monitor?
The current settings are interval 5000, failtime 3, and other default values.

Labels:
1396
0 Kudos
15 REPLIES 15
VDOM001
New Contributor
In response to funkylicious

Created on ‎04-29-2025 12:24 AM

@funkylicious 

It is easy to monitor the SVI of the L3SW since the FW needs to be switched in case of failure between L2SW and L3SW.

460
0 Kudos
funkylicious
SuperUser
SuperUser
In response to VDOM001

Created on ‎04-29-2025 12:39 AM

ok, so the issue is in fact monitoring the SVI of L3SW which is causing issues.

is this a remote device that's outside your LAN to which you have a 10Mbps connection ?

"jack of all trades, master of none"
"jack of all trades, master of none"
457
VDOM001
New Contributor
In response to funkylicious

Created on ‎04-29-2025 12:51 AM

@funkylicious 

The L3SW is located inside the LAN, not outside.
(lan)Forti(wan)----L2SW----L3SW

 

454
0 Kudos
funkylicious
SuperUser
SuperUser
In response to VDOM001

Created on ‎04-29-2025 03:08 AM Edited on ‎04-29-2025 03:23 AM

well, the issue is clearly regarding icmp packets being lost along the way due to either congestion or something else.

 

if the L3SW are individual and not stacked, I assume you run some kind of L3 redundancy protocol on them, like VRRP/HSRP/GLSB so if one fails traffic would be handled by the other ?

if so, L2SW's are or should be connected in both L3SW to ensure L2 redundancy ( leave layer2 things like loops for STP to handle ) and I would not think that link monitor should be used since the traffic from FGT would have the nexthop a virtual ip.

if L2SW's fails, the interface should be already monitored by HA and failover should happen automatically.

 

like this:

Screenshot 2025-04-29 at 13.06.38.png

 

L.E. if L2SW's are not stack-able but individual, i would also consider redundant interface from the FGT to each L2SW.

 

just my thoughts.

"jack of all trades, master of none"
"jack of all trades, master of none"
438
VDOM001
New Contributor
In response to funkylicious

Created on ‎04-29-2025 03:43 AM

@funkylicious 

Thank you very much.

As you mentioned, the L3SW is redundant with HSRP, so the L2SW must be connected to both L3SWs as shown in the figure.
Once we make minor modifications to the link monitor parameters and if the problem is not resolved, we will consider including a proposal to configure L2 redundancy with STP and not use link monitor.

407
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to VDOM001

Created on ‎04-29-2025 08:20 AM

That means the link-monitor is not proper way (meaningless) to detect the primary unit's operation problem to trigger HA failover. Just monitoring ethernet link without link-monitor is more meaningful way to trigger HA failover.

Toshi

390
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.