Hi, guys,
I am using Fortigate 400E with FortiOS v7.0.3, and the SDWAN SLA performance configuration for the 3-link SDWAN ( SDWAN health-check ) is below:
SLA configuration and verification:
-----------------------------------------------------------
13Forti400e01 (Pingtest_to_61LAN) # show
config health-check
edit "Pingtest_to_61LAN"
set server "10.61.200.254"
set interval 1500
set probe-timeout 1000
set recoverytime 3
set members 2 11 13
config sla
edit 1
set link-cost-factor latency packet-loss
set latency-threshold 500
set packetloss-threshold 50
next
end
next
end
13Forti400e01 (Pingtest_to_61LAN) # get
name : Pingtest_to_61LAN
probe-packets : enable
addr-mode : ipv4
server : "10.61.200.254"
detect-mode : active
protocol : ping
ha-priority : 1
interval : 1500
probe-timeout : 1000
failtime : 5
recoverytime : 3
probe-count : 30
diffservcode : 000000
update-cascade-interface: enable
update-static-route : enable
sla-fail-log-period : 0
sla-pass-log-period : 0
threshold-warning-packetloss: 0
threshold-alert-packetloss: 0
threshold-warning-latency: 0
threshold-alert-latency: 0
threshold-warning-jitter: 0
threshold-alert-jitter: 0
members : 2 11 13
sla:
== [ 1 ]
id: 1
SDWAN eventlog
----------------------------
1: date=2022-10-06 time=18:11:22 eventtime=1665051082440260483 tz="+0800" logid="0100022921" type="event" subtype="system" level="critical" vd="root" logdesc="Routing information changed" name="Pingtest_to_61LAN" interface="Vlan606" status="up" msg="Static route on interface Vlan606 may be added by health-check Pingtest_to_61LAN. Route: (10.10.61.57->10.61.200.254 ping-up)"
2: date=2022-10-06 time=18:07:18 eventtime=1665050838874349798 tz="+0800" logid="0100022921" type="event" subtype="system" level="critical" vd="root" logdesc="Routing information changed" name="Pingtest_to_61LAN" interface="Vlan606" status="down" msg="Static route on interface Vlan606 may be removed by health-check Pingtest_to_61LAN. Route: (10.10.61.57->10.61.200.254 ping-down)"
-------------------------------
My questions:
1. Is anything of my SLA configuration problem, what reason causes the link "down -> up" period consumed 4 minutes ?
2. Any parameters/attributes for adjusting the probes, period, testing period ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
1. 3 consecutive successful ICMP responses/replies from server 10.61.200.254 should have been recorded only after 4 minutes to turn the health check status back to up state.
2. I dont think any change needed, but it depends on your requirements on how fast or slow the probes should be send to converge the network based on the health checks.
Best regards,
Jin
May I know if any way to upload my detailed SLA log results (diag sys sdwan sla-log SLAtest_LL_Links_to13DC 3 ), in ord to explain more ?
Yes, max of 5 files of size 5 MB max could be attached to a post.
best regards,
Jin
Hi, jintrah_FTNT
Thanks so much for your kind reply.
The root reason is found, based on the Fortigate admin guide:
If the health check is used in an SD-WAN rule that uses Manual or Best Quality strategies, enabling SLA Target is optional. If the health check is used in an SD-WAN rule that uses Lowest Cost (SLA) or Maximum Bandwidth (SLA) strategies, then SLA Target is enabled.
When SLA Target is enabled, configure the following:
I am currently using the FortiOS v7.0.3, May I know if the probe count of the Packet Loss can be adjusted ( due to I cant find this attribute to Packet Loss) ?
Thanks so much.
Benson
Created on 10-17-2022 10:00 PM Edited on 10-17-2022 10:21 PM
Hi, gys,
Sorry for my above post is wrong captured.
I meant I could not find the probe-count for Packet loss from the following setup (probe-count is only for Jitter and latency):
-----------------------------------------------------------
Forti400e01 (SLAtest_to_61LAN) # set
probe-packets Enable/disable transmission of probe packets.
addr-mode Address mode (IPv4 or IPv6).
server IP address or FQDN name of the server.
detect-mode The mode determining how to detect the server.
protocol Protocol used to determine if the FortiGate can communicate with the server.
ha-priority HA election priority (1 - 50).
interval Status check interval in milliseconds, or the time between attempting to connect to the server (500 - 3600*1000 msec, default = 500).
probe-timeout Time to wait before a probe packet is considered lost (500 - 3600*1000 msec, default = 500).
failtime Number of failures before server is considered lost (1 - 3600, default = 5).
recoverytime Number of successful responses received before server is considered recovered (1 - 3600, default = 5).
probe-count Number of most recent probes that should be used to calculate latency and jitter (5 - 30, default = 30).
diffservcode Differentiated services code point (DSCP) in the IP header of the probe packet.
update-cascade-interface Enable/disable update cascade interface.
update-static-route Enable/disable updating the static route.
sla-fail-log-period Time interval in seconds that SLA fail log messages will be generated (0 - 3600, default = 0).
sla-pass-log-period Time interval in seconds that SLA pass log messages will be generated (0 - 3600, default = 0).
threshold-warning-packetloss Warning threshold for packet loss (percentage, default = 0).
threshold-alert-packetloss Alert threshold for packet loss (percentage, default = 0).
threshold-warning-latency Warning threshold for latency (ms, default = 0).
threshold-alert-latency Alert threshold for latency (ms, default = 0).
threshold-warning-jitter Warning threshold for jitter (ms, default = 0).
threshold-alert-jitter Alert threshold for jitter (ms, default = 0).
members Member sequence number list.
Thanks for your suggestion.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1646 | |
1070 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.