I have a FG200D and we are getting ready to receive a new Cradlepoint 3G/4G router for failover of the main office only. The plan is to connect it to WAN2. My question is this: Would it be better to use WAN LLB and set a sky high priority like 99 for WAN1 and 1 for WAN2, or would it be better to use two static routes and weight them accordingly?
I mainly want to make sure WAN2 isn't going to be used unless WAN1 is absolutely down. I don't mind a small amount of traffic for health check but we are only allotted so much data per month on the fail over service without overage charges.
I've seen multiple posts about this and read multiple articles, but couldn't really determine the best method from those. I've only known FortiOS 5.4, which apparently isn't the favorite for this setup since most of the failover documentation still references 5.2.
Opinions and thoughts welcomed and thanks in advance.
Kevin
Thank you for your time,
Kevin W. Knuckles
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The default deep peer detection for the IPSEC tunnels is to send a packet every 20 seconds, and if 3 of them fail then it will deem it dead, ie your IPSEC will stay up for 60 seconds. You can change the dpd parameters (via cli) if you want it to fail over faster. The below config will make it fail over in 9 seconds
config vpn ipsec phase1-interface
edit <vpn name>
set dpd-retrycount 3
set dpd-retryinterval 3
end
-- Bjørn Tore
-- Bjørn Tore
-- Bjørn Tore
why do you reopen such an old post?
In the meantime there are new technics like SDWAN to manage what you want to...
zaphod wrote:Because this is exactly what I need. I'm either misunderstanding SD-WAN or it doesn't do what I want. I don't need Load-balancing, because no matter what I tired - SDWAN (regardless of the weighting, priorities) uses a substantial amount of my failover (mobile) WAN. Its simple. When Primary WAN is down, Pull route, go to Secondary WAN. Revert once Primary WAN is restored.why do you reopen such an old post?
In the meantime there are new technics like SDWAN to manage what you want to...
Ahh, posts back from land before time.
Anyway - my tip is use 2 or more servers in the system link monitor. Eliminate the chance of false positives causing fail over.
config system link-monitor edit "Failover to Infinity" set srcintf "port3" set server "8.8.8.8" "1.1.1.1" set gateway-ip xx.xx.xx.xx set recoverytime 3 set update-cascade-interface disable next end
^^^only fails if BOTH servers fail to respond to ping.
I put this in effect but when WAN1 is working, some traffic is still flowing from WAN2. Since WAN2 is a cellular backup data use affects cost. When WAN1 is working, should 0 traffic be flowing via WAN2? Can anyone think of what I might have done wrong in the configuration that WAN2 still passes some traffic when WAN1 is operational? I am using an Inside zone as suggested by MikePruett. Both WAN1 and WAN2 are DHCP WAN connections.
Running FortiOS 6.0.9
I will be doing the same setup as described, any thoughts or ideas are appreciated. Thanks, Pat
Sounds this is a good method for WAN load balancing... but another trouble point is, you have to configure 2 complete set of policies for each interface going thru WAN1 and WAN2. That means, once you need to modify any policy from one of your huge no. of policies, you have to do it twice... and whenever need to create a new policy, you have to duplicate it for 2 WAN port.
I set the WAN LB with this same method, it's really painful. Just thought does there another way to make it more precise or simple? Double no. of policies and making a complex policy screen are really not a best practice.... and it's not the normal WAN LOAD BALANCING in the market...
For exemple, ZyWALLs have "trunks" - 2,3,4... interfaces there (active, passive) - very easy! In your policies and routes you use only configured trunks - very convinent. Do FGs have such functionality?
Hello,
i'm not expert of DUAL wan but if I understand correctly, you simply want to do a WAN Failover and not a Load balancing right ? If yes, I suggest you to use only static. Here my guide lines:
[ol]
You can test your link monitor using the command diagnose sys link-monitor status all
Hope this will help you.
BR
I always already fail at 1.
My FGT does not allow me to set up a second default route when I use sdwan.
I would like to have one Fallback parallel to sdwan but cannot set up the neccessary routing.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1698 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.