Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sean3
New Contributor III

Created on ‎11-06-2024 08:09 AM Edited on ‎11-06-2024 08:12 AM

how to correctly use prefer passive or passive probe in SD-WAN

greetings all,

we have a performance SLA with active probe based on Ping, but Ping packet got lost intermittently along the path.

So, we want to use a passive or Prefer Passive probe method with TCP Connect to the production service as the protocol, to see if Ping packet loss will come with TCP connect error. In short, we want to compare the two probing methods to figure it out.

I just configured the performance SLA, but it is not used to any SD-WAN rule, as we do not want an unverified performance SLA to risk our production. 

And I got the performance as below,  test_for_Prefer_passive_probe is the one, and it shows me packet loss forever (see the picture below). I completely doubt the packet loss is reflecting the truth as we do not have any reported issue from the production line.

So, can any friend let me know how the packet loss is calculated in such scenario, what is the recommended way to configure prefer passive probe SLA monitor?

Yes, we've enabled passive-wan-health-measurement on the firewall policy which allows the traffic to the target server.

Prefer Passive 20241106-mask.png

377
0 Kudos
2 REPLIES 2
Hemin88
New Contributor III

Created on ‎11-07-2024 07:53 PM Edited on ‎11-07-2024 07:55 PM

Hi @sean3 

This is what we did in our environment


FW01 # config system sdwan

FW01 (sdwan) # config health-check

FW01 (health-check) # edit "Default_AWS"

FW01 (Default_AWS) # show
config health-check
edit "Default_AWS"
set server "aws.amazon.com"
set protocol http
set interval 1000
set probe-timeout 1000
set recoverytime 10
set members 1
config sla
edit 1
set latency-threshold 250
set jitter-threshold 50
set packetloss-threshold 5
next
end
next
end




Note we used trust website like aws.amazon.com, to ensure the keepalive messages will continuously work find

IP Network Engineer
IP Network Engineer
317
sean3
New Contributor III
In response to Hemin88

Created on ‎11-08-2024 06:11 PM

thanks Hemin88,

I see the probe-timeout 1000, latency-threshold 250.

probe-timeout basically means the round-trip time (RTT) right? (I see it from here ). Latency is basically the time for a packet being sent from source to destination, it is time spent just for one-way. So , you think probe-timeout should be configured at least twice higher than the latency?

284
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.