Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sims
New Contributor III

link health monitor

Hi,

What is the logic behind of using server ip ( behind or beyond  the router ) 

2 Solutions
ede_pfau
Esteemed Contributor III

A failover is - by default - triggered by a link failure. The monitored port needs to see a link-down.

But this is not what you see in practice.

Imagine you have 2 WAN lines, on 2 WAN ports. The FGT is connected to the WAN line via modem(s).

 

Now the link on the WAN port will be UP until the modem dies. Way more probable is that access to the internet via this WAN line will be broken, i.e. a logical link will fail.

 

To determine that a path through an interface, some hardware and your ISP's network is down you set up a ping server to some host on the internet which is (deemed) always up. If 5 consecutive pings to that server fail, the FGT fails that WAN port and deletes it's default route. Hopefully you have a second WAN line with a second (more costly) default route which then will be followed.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
Grave_Rose
New Contributor III

Hey sims,

 

I would suggest pinging a device beyond the gateway to ensure that you have connectivity beyond just the one hop. Let's pretend that your WAN links are connected to two different Cisco routers each on gig1/1. If you only ping the IP address on the directly connected network (ie: The IP address of gig1/1) and the router's upstream interface (ie: Interface gig1/2) goes down, your WAN link will still stay up but no traffic will pass through that router. You have now lost Internet access.

 

However if you're pinging something like 8.8.8.8 and gig1/2 goes down on the WAN1 link router, then it will fail over to WAN2. This is what ede_pfau was saying with: "Way more probable is that access to the internet via this WAN line will be broken, i.e. a logical link will fail."

 

Hope this helps,

 

Sean (Gr@ve_Rose)

View solution in original post

Site: https://tcpdump101.com Twitter: https://twitter.com/Grave_Rose Reddit: https://reddit.com/r/tcpdump101 Discord: https://discordapp.com/invite/2MZCqn6
3 REPLIES 3
ede_pfau
Esteemed Contributor III

A failover is - by default - triggered by a link failure. The monitored port needs to see a link-down.

But this is not what you see in practice.

Imagine you have 2 WAN lines, on 2 WAN ports. The FGT is connected to the WAN line via modem(s).

 

Now the link on the WAN port will be UP until the modem dies. Way more probable is that access to the internet via this WAN line will be broken, i.e. a logical link will fail.

 

To determine that a path through an interface, some hardware and your ISP's network is down you set up a ping server to some host on the internet which is (deemed) always up. If 5 consecutive pings to that server fail, the FGT fails that WAN port and deletes it's default route. Hopefully you have a second WAN line with a second (more costly) default route which then will be followed.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
sims
New Contributor III

Hi,

Instead of pinging the server why we should not ping the gateway .

 

 

 

Grave_Rose
New Contributor III

Hey sims,

 

I would suggest pinging a device beyond the gateway to ensure that you have connectivity beyond just the one hop. Let's pretend that your WAN links are connected to two different Cisco routers each on gig1/1. If you only ping the IP address on the directly connected network (ie: The IP address of gig1/1) and the router's upstream interface (ie: Interface gig1/2) goes down, your WAN link will still stay up but no traffic will pass through that router. You have now lost Internet access.

 

However if you're pinging something like 8.8.8.8 and gig1/2 goes down on the WAN1 link router, then it will fail over to WAN2. This is what ede_pfau was saying with: "Way more probable is that access to the internet via this WAN line will be broken, i.e. a logical link will fail."

 

Hope this helps,

 

Sean (Gr@ve_Rose)

Site: https://tcpdump101.com Twitter: https://twitter.com/Grave_Rose Reddit: https://reddit.com/r/tcpdump101 Discord: https://discordapp.com/invite/2MZCqn6
Labels
Top Kudoed Authors