Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bunger
New Contributor

WAN Failover and Fail-back with VOIP Connections

I have a 60E with 2 WAN connections: a coax cable broadband connection on WAN1 and a LTE connection on WAN2. I have fail-over configured and all traffic properly fails over to WAN2 when WAN1 goes offline. The issue is that some of the traffic is VOIP and when WAN1 comes back online, those VOIP connections don't drop and retain their connections through WAN2. How can I force all connections to drop from WAN2 so they are forced to fail back to WAN1?

 

Here is what my config code looks like:

 

conf sys link-monitor ­ edit wan1failover ­ set srcintf wan1 ­ set server "8.8.8.8" "1.1.1.1" ­ set gateway-ip "<WAN1-GW>" ­ set interval 20 ­ set failtime 7 ­ set recoverytime 5 ­ set update-cascade-interface enable ­ set update-static-route enable ­ set status enable ­ next ­ edit wan2failover ­ set srcintf wan2 ­ set server "8.8.8.8" "1.1.1.1" ­ set gateway-ip "<WAN2-GW>" ­ set interval 20 ­ set failtime 7 ­ set recoverytime 5 ­ set update-cascade-interface enable ­ set update-static-route enable ­ set status enable ­ end

10 REPLIES 10
Toshi_Esumi
Esteemed Contributor III

It's not because how you set up the failover but becuase how you set up the route to the destination (default route) through wan1 and wan2, and also because the voip has consistent traffic with the server like keepalive even when the phones are idle after registration.

 

Do you have two default routes in the routing-table when both are up? Then you might want to stop its injection by both circuits (set defaultgw disable) and put two static default-routes in with different distances to have only the main default-route toward wan1 is in the routing table when wan1 is up.

bunger

toshiesumi wrote:

Do you have two default routes in the routing-table when both are up? Then you might want to stop its injection by both circuits (set defaultgw disable) and put two static default-routes in with different distances to have only the main default-route toward wan1 is in the routing table when wan1 is up.

I do have 2 default routes:

  dest:  0.0.0.0    gw:  <wan1-gw>  distance:  10    Priority:  0

  dest:  0.0.0.0    gw:  <wan2-gw>  distance:  10    priority:  10

 

I am not sure the routes are the issue?  when wan1 comes back online, all data properly reverts back through that connection... but bc the VOIP connections basically always stay on, the only way to get them to fail back to wan1 is to literally unplug or disable wan2.

 

What can I add to my config to forcibly drop those VOIP connections when wan1 comes back online? ( and yes, i know it would drop any existing calls )

Toshi_Esumi
Esteemed Contributor III

That's the design of priority. After wan1 comes back up, when the server side of voip sends something toward the phones to verify if they're still alive with the wan2 public IP, the FGT routes the response from the phones toward wan2 since the route is still there with lower priority. You can't practically stop anything what the server side do. If you sniff voip traffic toward the phones while they're idle you can understand how the sessions are kept up all the time.

ede_pfau
Esteemed Contributor III

Isn't there a setting in 'system link-monitor' to drop the link status of a monitored or other interface in case of failover? Anybody with a CLI reference?


Ede

"Kernel panic: Aiee, killing interrupt handler!"
bunger

toshiesumi wrote:

That's the design of priority. After wan1 comes back up, when the server side of voip sends something toward the phones to verify if they're still alive with the wan2 public IP, the FGT routes the response from the phones toward wan2 since the route is still there with lower priority. You can't practically stop anything what the server side do. If you sniff voip traffic toward the phones while they're idle you can understand how the sessions are kept up all the time.

 

So how do I drop them and force them over?  Or are you saying that it isn't possible for any VOIP traffic to every fail back, which seems hard to believe...

bunger
New Contributor

What about something like this?

 

config system global      set snat-route-change enable    end

ede_pfau
Esteemed Contributor III

I think this is what you need: pull wanX down if wanX fails the ping server test.

Look at this KB article: https://kb.fortinet.com/k....do?externalID=FD44679


Ede

"Kernel panic: Aiee, killing interrupt handler!"
bunger

ede_pfau wrote:

I think this is what you need: pull wanX down if wanX fails the ping server test.

Look at this KB article: https://kb.fortinet.com/k....do?externalID=FD44679

The rub is that when wan1 comes back online, neither ping test will fail.... so I won't have any criteria to bring wan2 down....

cardine
New Contributor II

Bunger, did you ever get a solution to this problem, i'm also having the same issue of one-way audio on failback (when the down link comes back into service) other than resetting the phone or manually clearing the sessions i can't find anything that would help