Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kknuckles
New Contributor

WAN Failover Best Practice - New Failover Connection

I have a FG200D and we are getting ready to receive a new Cradlepoint 3G/4G router for failover of the main office only. The plan is to connect it to WAN2. My question is this: Would it be better to use WAN LLB and set a sky high priority like 99 for WAN1 and 1 for WAN2, or would it be better to use two static routes and weight them accordingly?

 

I mainly want to make sure WAN2 isn't going to be used unless WAN1 is absolutely down. I don't mind a small amount of traffic for health check but we are only allotted so much data per month on the fail over service without overage charges.

 

I've seen multiple posts about this and read multiple articles, but couldn't really determine the best method from those. I've only known FortiOS 5.4, which apparently isn't the favorite for this setup since most of the failover documentation still references 5.2.

 

Opinions and thoughts welcomed and thanks in advance.

 

Kevin

Thank you for your time,

 

Kevin W. Knuckles

Thank you for your time, Kevin W. Knuckles
4 Solutions
neonbit
Valued Contributor

The default deep peer detection for the IPSEC tunnels is to send a packet every 20 seconds, and if 3 of them fail then it will deem it dead, ie your IPSEC will stay up for 60 seconds. You can change the dpd parameters (via cli) if you want it to fail over faster. The below config will make it fail over in 9 seconds

 

config vpn ipsec phase1-interface

edit <vpn name>

set dpd-retrycount 3

set dpd-retryinterval 3

end

View solution in original post

btp

Sure - but why not use the policy route approach that lies in the SDWAN logic?

-- Bjørn Tore

View solution in original post

-- Bjørn Tore
btp

Sure - «SD-WAN» in Fortinet World is an acronym for path selection. Not really SD-WAN, imho..

-- Bjørn Tore

View solution in original post

-- Bjørn Tore
btp

That’s the main idea with Fortinet’s SD-WAN offering - path selection. We use this to use one of two fibers - and mobile backup if the sh*t hits the fan.. for many spokes.

-- Bjørn Tore

View solution in original post

-- Bjørn Tore
36 REPLIES 36
zaphod
New Contributor III

why do you reopen such an old post? 

 

In the meantime there are new technics like SDWAN to manage what you want to... 

 

 

RBotha
New Contributor

zaphod wrote:

why do you reopen such an old post? 

 

In the meantime there are new technics like SDWAN to manage what you want to... 

 

 

Because this is exactly what I need.  I'm either misunderstanding SD-WAN or it doesn't do what I want. I don't need Load-balancing, because no matter what I tired - SDWAN (regardless of the weighting, priorities) uses a substantial amount of my failover (mobile) WAN.  Its simple. When Primary WAN is down, Pull route, go to Secondary WAN. Revert once Primary WAN is restored.

James_G
Contributor III

Ahh, posts back from land before time.

 

Anyway - my tip is use 2 or more servers in the system link monitor. Eliminate the chance of false positives causing fail over.

 

config system link-monitor edit "Failover to Infinity" set srcintf "port3" set server "8.8.8.8" "1.1.1.1" set gateway-ip xx.xx.xx.xx set recoverytime 3 set update-cascade-interface disable next end

 

^^^only fails if BOTH servers fail to respond to ping.

SecurityPlus

I put this in effect but when WAN1 is working, some traffic is still flowing from WAN2. Since WAN2 is a cellular backup data use affects cost. When WAN1 is working, should 0 traffic be flowing via WAN2? Can anyone think of what I might have done wrong in the configuration that WAN2 still passes some traffic when WAN1 is operational? I am using an Inside zone as suggested by MikePruett. Both WAN1 and WAN2 are DHCP WAN connections.

 

Running FortiOS 6.0.9

phowardmhm
New Contributor

I will be doing the same setup as described, any thoughts or ideas are appreciated.  Thanks, Pat

wcbenyip
New Contributor III

Sounds this is a good method for WAN load balancing... but another trouble point is, you have to configure 2 complete set of policies for each interface going thru WAN1 and WAN2. That means, once you need to modify any policy from one of your huge no. of policies, you have to do it twice... and whenever need to create a new policy, you have to duplicate it for 2 WAN port.

 

I set the WAN LB with this same method, it's really painful. Just thought does there another way to make it more precise or simple? Double no. of policies and making a complex policy screen are really not a best practice.... and it's not the normal WAN LOAD BALANCING in the market...

Protect yourself~ http://www.secunia.com MBCS CEH FCNSA
Protect yourself~ http://www.secunia.com MBCS CEH FCNSA
Maxim_Vanichkin

For exemple, ZyWALLs have "trunks" - 2,3,4... interfaces there (active, passive) - very easy! In your policies and routes you use only configured trunks - very convinent. Do FGs have such functionality?

fl0at0xff
New Contributor II

Hello,

 

i'm not expert of DUAL wan but if I understand correctly, you simply want to do a WAN Failover and not a Load balancing right ? If yes, I suggest you to use only static. Here my guide lines:

[ol]
  • Configure default static route (wan1/wan2 with same distance but wan1 with lowest priority)
  • Create link-monitor using CLI for each WAN. (config sys link-monitor) (-> set update-static-route disable)
  • If you use IPSec, create your second IPSec that will use wan2. In CLI, don't forget to set the parameter "set monitor <gw_ip_wan1> that tell that this backup VPN IPSec must monitor the first one
  • Add static route for your new IPsec (IPsec tunnel 2 with same distance than primary but higher priority)
  • If you have not created a ZONE for WAN1 et WAN2, you must dupplicate all your policies/VIP for wan2
  • If you have SSL/VPN, don't forget to add wan2 on listening interface for SSL/VPN configuration
  • In case of IPsec, don't forget to configure the remote peer too.[/ol]

     

    You can test your link monitor using the command diagnose sys link-monitor status all

     

    Hope this will help you.

     

    BR 

     

  • sw2090
    Honored Contributor

    I always already fail at 1.

     

    My FGT does not allow me to set up a  second default route when I use sdwan.

    I would like to have one Fallback parallel to sdwan but cannot set up the neccessary routing.

    -- 

    "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

    -- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
    SecurityPlus

    sw2090, what do you mean when you say “always already fail at 1”?
    Labels
    Top Kudoed Authors