Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kknuckles
New Contributor

WAN Failover Best Practice - New Failover Connection

I have a FG200D and we are getting ready to receive a new Cradlepoint 3G/4G router for failover of the main office only. The plan is to connect it to WAN2. My question is this: Would it be better to use WAN LLB and set a sky high priority like 99 for WAN1 and 1 for WAN2, or would it be better to use two static routes and weight them accordingly?

 

I mainly want to make sure WAN2 isn't going to be used unless WAN1 is absolutely down. I don't mind a small amount of traffic for health check but we are only allotted so much data per month on the fail over service without overage charges.

 

I've seen multiple posts about this and read multiple articles, but couldn't really determine the best method from those. I've only known FortiOS 5.4, which apparently isn't the favorite for this setup since most of the failover documentation still references 5.2.

 

Opinions and thoughts welcomed and thanks in advance.

 

Kevin

Thank you for your time,

 

Kevin W. Knuckles

Thank you for your time, Kevin W. Knuckles
4 Solutions
neonbit
Valued Contributor

The default deep peer detection for the IPSEC tunnels is to send a packet every 20 seconds, and if 3 of them fail then it will deem it dead, ie your IPSEC will stay up for 60 seconds. You can change the dpd parameters (via cli) if you want it to fail over faster. The below config will make it fail over in 9 seconds

 

config vpn ipsec phase1-interface

edit <vpn name>

set dpd-retrycount 3

set dpd-retryinterval 3

end

View solution in original post

btp

Sure - but why not use the policy route approach that lies in the SDWAN logic?

-- Bjørn Tore

View solution in original post

-- Bjørn Tore
btp

Sure - «SD-WAN» in Fortinet World is an acronym for path selection. Not really SD-WAN, imho..

-- Bjørn Tore

View solution in original post

-- Bjørn Tore
btp

That’s the main idea with Fortinet’s SD-WAN offering - path selection. We use this to use one of two fibers - and mobile backup if the sh*t hits the fan.. for many spokes.

-- Bjørn Tore

View solution in original post

-- Bjørn Tore
36 REPLIES 36
sw2090
Honored Contributor

"Configure default static route (wan1/wan2 with same distance but wan1 with lowest priority)" in the post I replied to.

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
tanr
Valued Contributor II

@SecurityPlus, if you are not using SD-WAN, how are your distances and priorities set up?  Also, do you mean you see traffic going over the cellular link all the time, or for some time after a failure causes you to switch away from WAN1?

SecurityPlus

Thanks.

 

Correct, SD-WAN is set to Disable. Yes, we see traffic going over the cellular link all the time. Both wan1 and wan2 are set to Retrieve default gateway from server: Off. They are both DHCP.

 

config system interface / show full

wan1

distance 10

priority 0

 

wan2

distance 10

priority 0

 

Upon further review, this does not look correct to me. I thought that we had set Priority 5 for wan1 and priority 10 for wan2. Is that a better way to configure?

 

There are two Static Routes listed, one for wan1 and one for wan2. They both have destination 0.0.0.0/0. The are both listed as Dynamic Gateways. They both have Distance 10. wan1 has Priority 5, wan2 has priority 10.

tanr
Valued Contributor II

Ah, I have a guess.  It sounds like you're getting bit by the dynamic gateway!  Check your actual routing table to confirm (get router info routing-table all).

 

IIRC, when your interface has "Retrieve default gateway from server" enabled (default when you set a WAN/DMZ role interface to DHCP) it will *automatically* add a static route with distance of 5 to the routing table.  Regardless of whether you already have a static route set for it.

 

 

btp
Contributor

You can either configure the distance under the interface if you have DHCP enabled, or you can ignore the default-route. And then use default-gw-enable under static route.

-- Bjørn Tore

-- Bjørn Tore
SecurityPlus

Thanks everyone for the suggestions. I will review.
SecurityPlus

I received a recommendation to:

set snat-route-change enable

 

https://kb.fortinet.com/kb/documentLink.do?externalID=FD40943

 

This if enabled I read should flush the routing information from the session table. Does this change make sense?

btp

Sure - but why not use the policy route approach that lies in the SDWAN logic?

-- Bjørn Tore

-- Bjørn Tore
SecurityPlus

Thanks.

 

Dumb question. Can I use the policy route approach that lies in the SDWAN logic if I am not using SDWAN?

btp

Sure - «SD-WAN» in Fortinet World is an acronym for path selection. Not really SD-WAN, imho..

-- Bjørn Tore

-- Bjørn Tore
Labels
Top Kudoed Authors