Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
andrei
New Contributor

Redundant internet connections using two static public IP

Hi all, I am facing an issue when trying to set up redundant connection with 2 static public IP. I put one as Primary connection and the other one as backup by setting up appropriate Distance and priority for each connection. The problem is when the two connections are connected to the firewall, I am only able to ping the primary connection and not the backup one. Also I disconnected the primary connection to check if the firewall will change automatically its internet connection by shifting to the backup connection, it didn' t work. In every technical documentation, they are talking about, one internet connection with static public IP and the second one is on ISP DHCP addressing mode. Does it mean that it is impossible to set up redundant internet connection in Fortigate 60C with two static internet IP ? If not, can you please tell me what' s wrong with my configuration. Thanks !
Network & System Engineer OLAM GABON SA
Network & System Engineer OLAM GABON SA
6 REPLIES 6
AtiT
Valued Contributor

Hi adnrei, I never did it. But did you try the Fortinet Video Library?: http://video.fortinet.com/video/76/time/450

AtiT

AtiT
rwpatterson
Valued Contributor III

I' ll bet the IP address ends in an odd number. With the set up as you described, the FGT does ' load balancing' , simply by sending odd addresses out WAN1 and even IPs out WAN2. Stupid, but that' s what we' re given.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
oheigl
Contributor II

Hi, you need to configure the two default routes for both interfaces with the same distance, only change the secondary interface with a high priority. Otherwise the route with the lower distance is not in the routing table, so if you try to ping it, the reverse path lookup fails and the FortiGate drops the packet.
jtfinley

you need to configure the two default routes for both interfaces with the same distance, only change the secondary interface with a high priority.
OHEIGL is right. We do this all the time. Most of our customers have multiple Internet connections, however, the speed of each may be significantly different. The preferred method we use is set the Default Gateway DISTANCE the same and change the priority. I' d also recommend using GWDETECT to some stable IP' s to detect failure if the " LINK" is not physically down ie Cablemodem/T1 Router. This way, at anytime, one can remotely connect to the Fortigate at any ISP link
ede_pfau
Esteemed Contributor III

Strangely, Fortinet uses the Priority parameter in the sense of a Cost parameter - the higher the Priority, the less it' s used. DGD is really a must-have if you use ' hidden' routes. Otherwise, the routing table won' t get updated in time and traffic gets lost when the primary route dies. One tip here: specify more than one ping target. When I configured just one (popular) server on the internet on both of the WAN interfaces, there was a complete blackout when they took that server offline for maintenance...In the CLI, you can specify up to 3 ping servers, and ONLY if all of them do not respond anymore the line is taken as being down.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
danto
New Contributor

Hi, can you tell us which version you are running?
There is no patch for human stupidity...
There is no patch for human stupidity...
Labels
Top Kudoed Authors