Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ajay_M
New Contributor

Passive WAN health measurement

Hi Fortinet team and all,

 

I would like to understand deep and dive technical functionality of passive WAN health measurement.

 

Could anyone share document to understand it? Like

  1. How it is calculating the jitter, packet loss and latency through TCP session of internet traffic?
  2. There will be multiple public IPs (Basically destinations) towards internet traffic, so SLA varies for every destination. 
  3. What's the formula behind it to calculate SLA by all of the internet destination traffic?
  4. How can I view the sessions in FortiGate those have been used to calculate the passive SLA?
Thanks,
Ajay M
Thanks,Ajay M
7 REPLIES 7
pgautam
Staff
Staff

Hi Ajay,

 

In SDWAN performance SLA monitors members' health.

When you configure performance SLA you will get the option to select probe mode active or passive.

1) Active mode:-

In Active monitoring, the health of the member is checked by periodically sent probes towards the configured servers to determine its performance.

2) Passive mode:-

In passive health monitoring, the health of the member is determined based on the traffic passing through the member.

FGT monitors the actual traffic flowing through the member to determine its performance.

Passive monitoring simplifies configuration and reduced the network by using the probe-free approach for measuring the performance of members.
FGT measures packet loss, latency, and jitter based on the TCP traffic sent and received through the member.

This is a more accurate approach than active monitoring because you measure the member performance based on the actual traffic passing through the member,
instead of measuring it based on the probes that may be unrelated to the application you want to effectively steer using SDWAN.

In passive monitoring, latency is calculated on the RTT(Round Trip Time) of TCP connection setup and tear down. While jitter and packet loss are calculated based on the TCP header information.

Note:- Passive monitoring does not detect dead members and Hardware acceleration is disabled on the traffic subject to passive monitoring.

Configuration:-
1)first set the passive more in the health check configuration
2)Enable passive-wan-health-measurement on the firewall policies that accept traffic for the monitoring member

Once you enable passive-wan-health-measurement autoasic-offload will be disabled automatically.

Please follow the below article for your reference:-

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Passive-performance-SLA/ta-p/225290

https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/208103/passive-wan-health-me...

Regards

Priyanka


- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

Ajay_M
New Contributor

Hi @pgautam ,

 

 Thanks for your reply. I have a doubt like once we enabled passive WAN health measurement in firewall policy.

 

There would me plenty of internet traffic say for example 10 different internet traffic, each of the internet traffic will be locatated in different location (hosting servers) and have different jitter, latency and packet loss.2

 

 

So by all the 10 TCP traffic how fortigate is calculating the SLA metric?

 

 

How can I check the TCP sessions are being used by passive health check? Is there any GUI or CLI commend? 

Thanks,
Ajay M
Thanks,Ajay M
pgautam

Hi Ajay,
 
The available constraints in the SLA are below:-
 
Latency threshold: Latency for SLA to make decision, in milliseconds (0 - 10000000, default = 5).
Jitter threshold: Jitter for SLA to make decision, in milliseconds (0 - 10000000, default = 5).
Packet loss threshold: Packet loss for SLA to make decision, in percentage (0 - 100, default = 0).
 
If health check is configured in passive mode, and SLA thresholds are set. 
Passive WAN health measurement is enabled on the SD-WAN policy in this case based on the threshold exceeded SLA will take action.
 
 
E.g. :- YouTube traffic generated by the PC. When latency is introduced to the traffic on 
the passive health check trigger threshold is exceeded and traffic is rerouted to other healthy interface.
 
config health-check
        edit "Passive_Check"
            set detect-mode passive
            set members 1 2
            config sla
                edit 1
                    set latency-threshold 500
                    set jitter-threshold 500
                    set packetloss-threshold 10
                next
                edit 2
                    set latency-threshold 1000
                    set jitter-threshold 1000
                    set packetloss-threshold 10
                next
            end
        next
    end
 
In case if you have 10 TCP connections as well then based on the defined SLA limit action will be taken by the Monitor.
 
FGT measures packet loss, latency, and jitter based on the TCP traffic sent and received through the member.
In passive monitoring, latency is calculated on the RTT(Round Trip Time) of TCP connection setup and tear down. While jitter and packet loss are calculated based on the TCP header information.
 
Regards
Priyanka
 
 
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Ajay_M
New Contributor

Hi @pgautam ,

 

 Thanks for the prompt reply. sorry to say this but the answer you have given is not correct one to my question.

 

If there are 10 TCP session with different destination, each TCP will have different SLA metrics, how the FortiGate firewall is calculating SLA metric with all the 10 TCP session with different SLA values? What's the formula behind it.

 

Let's say is active sla mode it uses last 30 packet to calculate sla metrics. 

Thanks,
Ajay M
Thanks,Ajay M
Ajay_M
New Contributor

Hi @pgautam ,

 

I have checked my FortiGate firewall session table for the firewall policy where passive wan health measurement is enabled. I found that there are zero sessions as below.

 

Firewall policy:

enable.png

Session list:

Session.png

 

But still passive SLA is showing the sla metrics. Could you please help to understand this?

 

Passive_SLA:

Passive sla.png

 

 

 

Thanks,
Ajay M
Thanks,Ajay M
pgautam

Hi Ajay,

 

In passive monitoring, SLA is calculated based on the TCP traffic leaving from the SDWAM member interface.

 

Could you please check if you have a TCP session on the port1 and port2 which is part of the SDWAN SLA?

 

Regards

Priyanka

 

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

 

 

 

saneeshpv_FTNT

Hi Ajay,

 

From the output you have shared when there is no TCP session, that means Passive monitor cannot measure the SLA metrics and it shows 0 for all, but one thing to note is, it will not effect the SDWAN member state, so you will still see them UP. You have an option to use Prefer passive, which will first attempt Passive and them switch to Active if there is no traffic through the SDWAN member. For that you need to define an Active probe with some internet based servers. 

 

How this is calculate is already explained by @pgautam and out of 10 TCP session if anyone of them exceeds the latency threshold for example during the TCP connection setup, it should trigger a WAN failover. Also important to note that you can control this based on the Firewall policy or even application and only those session matching Firewall policy or an application will be accounted for the measurements. 

 

Regards,