Hello,
it's my first post.
We have implemented with our Fortigate 60E WAN redundant.
The primary ISP is fiber and the secondary is LTE.
All traffic should go through the WAN1 interface.
In general, failover works from WAN1 to WAN2 or WAN2 to WAN1.
Now I have something strange observed:
In Germany, an automatic reconnect is performed every 24 hours. Unfortunately, this can not be avoided.
If the reconnect takes place or I perform it manually, then the WAN1 is for max. 3 seconds unreachable. After 3 seconds, it runs again and stable.
After 15 minutes, the failover to WAN2 is done and the traffic goes over it. (WAN1 works 100%) Then after 3 minutes, switch back to WAN1.
If I disable WAN2 before the i performed a manual reconnect, then the above behavior does not happen.
BUT:
If I activate WAN2 after 20 minutes, then it takes a few minutes and it will again fail over to WAN2. After 3 minutes back to WAN1.
Although my link monitor has the values failtime 15 minutes and recoverytime 3 minutes, but the question is:
Why is the failover performed when WAN1 is gone for only 3 seconds after a reconnect and is then permanently stable?
Is my link monitor configured correctly?
config system link-monitor edit "Check" set srcintf "wan1" set server "8.8.8.8" set interval 60 set failtime 15 set recoverytime 3 set update-cascade-interface disable next end
Regards
Gipsy
I suspect the route is updating.
Set failtime is only available 1-10 I thought. Change to 10.
set update-static-route disable
I didn't set anything for failtime, only interval and mine works as expected.
Hello BryanS,
thank for your quick reply.
If i didn't set failtime and i have a interval of 60, then the failover to WAN2 will be performed if the WAN1 is down "since 60 seconds". Right?
If i disable the option "update-static-route", then i must create two static routes for wan1 and wan2 correct (0.0.0.0)?
Or is the option working with the setting that i have now (without static routes for 0.0.0.0)?
Regards
Gipsy
If you don't have static routes and don't (nothing to be removed) let link-monitor to remove them, I don't think link-monitor has any active role to fail over. It wouldn't shut down the wan1 even pinging fails because otherwise it can't detect the circuit's recovery.
I would observe those two default routes in the routing-table while they're transitioning to understand how they're faling-over and failing-back. But it's better overriding them with two static default routes with proper distances/priorities (you can disable taking a default route via DHCP/PPPoE), and control the fail-over with link-monitor.
By the way, the answer to your first question is below. The default value is 5.
xxx-fg1 (NAME1) # set failtime ? failtime Enter an integer value from <1> to <10> (default = <5>).
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1749 | |
1114 | |
765 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.