static route 2nd wan missing

Report Inappropriate Content · ‎10-23-2010

I have 2 internetlines (2x 16MBit) on my fortigate FGT80C with v4.0,build0279,100519 (MR2 Patch 1) There are 270 internal users, they should benefit from having 2 lines available. load-balancing should solve this. Here the routing table: FGTKolping (static) # show config router static edit 1 set device " wan1" set gateway 188.20.116.xx set weight 50 next edit 2 set device " wan2" set gateway 178.188.17.xx set weight 50 next end so far so good. Now the problem: FGTKolping # get router info routing-table all S* 0.0.0.0/0 [10/0] via 188.20.116.xx, wan1, [0/50] C 10.2.0.0/16 is directly connected, internal1 C 172.16.0.0/24 is directly connected, internal2 C 178.188.18.xx/30 is directly connected, wan2 C 188.20.116.xx/30 is directly connected, wan1 To my understanding there should be the WAN2 next to the S*-entry for static. like in the fortigate document: FGT1 # get router info routing-table all S* 0.0.0.0/0 [10/0] via 192.168.2.2, port1 [10/0] via 192.168.3.2, port2 [10/0] via 192.168.4.2, port3 C 192.168.1.0/24 is directly connected, internal C 192.168.2.0/24 is directly connected, port1 C 192.168.3.0/24 is directly connected, port2 C 192.168.4.0/24 is directly connected, port3 So, what I' m I missing? How to fix? thx Gerhard

ede_pfau · ‎10-23-2010

Hi, and welcome to the forums! At first glance you should have 2 default routes. I see the public network mask is very, very narrow so you have to be careful here: assume your wan2 network is 178.188.17.0/30 then .0 is network (unusable) .1 is your side (wan2 interface IP) .2 is ISP side (your gateway) .3 is broadcast (unusable) Please compare to your real IPs and make sure the ISP has one of the " middle" IPs on his side, and you use the other. Secondly, you should set up a ping server target on each wan interface. This way, the FG will dynamically add and delete the associated default route if the ping target is reachable / unavailable. As described in the Knowledgebase (search for " ECMP" ) you should not use the next hop, and definitively not use the same target on both lines. I did that once until the target server was taken down for maintenance, killing both default routes at the same time...

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Report Inappropriate Content · ‎10-23-2010

Hi Ede, well, yes, I SHOULD have two default routes, but it looks like that one is missing, isn' t it? The IP-adresses of the ISP are ok, the gateway is always my IP-adress minus 1 (my e.g. IP is x.x.x.88 and the gateway is x.x.x.87). I can ping the gateway from the fortigate, so the subnetmask is fine. What is the purpose of the ping-server? I' m NOT after redundancy, I want to use BOTH ISP-lines with their full bandwidth. The maximum we get is 16 MBit, so I' m pooling both lines (to get a pooled bandwidth of 32 MBit). liebe grÃ¼ÃŸe Gerhard

ede_pfau · ‎10-23-2010

ad 1. ping server You set up the ping surveillance to have the route deleted in case the ISP is down. That' s more often than expected. As soon as the ping target doesn' t answer anymore the route is deleted from the routing table; no more packets will be sent to this gateway. If you don' t use ' dead gateway detection' this traffic will go to Nirvana. So, yes, part of having 2 ISPs is enhanced redundancy. Second part is more bandwidth. As has been discussed here for many times, your users will not gain a higher bandwidth. A single user (single source IP to be precise) will experience 16 Mbps but the whole company will have twice this bandwidth if added all together. A session has to stay with one gateway, and the FG will take care of that. Otherwise, how would the return traffic find it' s way back? All of this won' t explain the missing 2nd default route. I assume both wan lines are up, and you can use both to ping targets on the internet. My preference for this is the official time server in Braunschweig, Germany, 192.53.103.104. It tends to be up 99.9999% of the time (as this IP probably is virtualized). If you use a host from both LANs, can you reach this target from both at the same time? Then there must be 2 default routes active. If one is missing, hosts on this LAN cannot reach the internet. So let' s see what you find.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Report Inappropriate Content · ‎10-23-2010

Actually the part with the ISP beeing down: well heck, I don' t care. If it' s down, than it' s down, and the users can' t use the internet. We can live with that, those users are students and 90% download is porn anyhow. BUT what I need is more total Bandwidth. With 270 Users nobody ever get' s the whole bandwidth (it' s restricted by policy to a max of 2 MBit anyway). I just want that the usage get' s distributed on both lines. I understand that one session will always stick to one WAN/SIP, but yes, that how it should be. In the previous firmware this was very simple, you just enabled load_balancing and choose the load_balancing algorithm and it worked. Since the upgrade to 4MR2 the second line is down, because the load_balancing is not working (and the few students which are actually trying to do some work are blocked by the downloaders....) So, back to the problem: yes, both wan lines are up. You wrote " If you use a host from both LANs" ...well, I have only one LAN. There is one LAN and two WAN(ISP)-Lines. I just have configured some of the free lan-ports for local access to the firewall, if the Studentlan is down (or the firewall) I can plugin with my laptop on one of the " service" -ports. Should I split my LAN somehow? Where should I investigate? What should I do next? Danke Gerhard

ede_pfau · ‎10-23-2010

You will have to do some scrutinizing. ECMP is so simple it' s hard to set up incorrectly. In the past I once was in a similar situation where I defined a route that just wasn' t followed. Only after deleting it and re-entering it worked. It never failed again. What I would do is: - delete the working default route - one (mute) default route remains: do you still have traffic? - delete the second route as well -> no traffic at all - re-enter the second (now mute) def. route; test - re-enter the first def. route; inspect the routing table and test There is a difference between " get router info routing all" and " diag diag ip route list" ; this is mentioned in a KB article. The first is the definitions, the second the active routing table.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Report Inappropriate Content · ‎10-25-2010

Success! After deleting and recreating the (existing) static route for WAN2 the assumed 2nd static route popped finally up. The policies for WAN2 were already created. I kicked all users (otherwise nothing would happen) and they started to reconnected, some of the on WAN1 some of them on WAN2. load balancing works again. thx for your support. The routing table now lokks like it should: FGTKolping # get router info routing-table all S* 0.0.0.0/0 [10/0] via 178.188.18.xx, wan2, [0/50] [10/0] via 188.20.116.xx, wan1, [0/50] C 10.2.0.0/16 is directly connected, internal1 C 172.16.0.0/24 is directly connected, internal2 C 178.188.18.xx/30 is directly connected, wan2 C 188.20.116.xx/30 is directly connected, wan1 br Gerhard

ede_pfau · ‎10-25-2010

Glad you finally made it. This one is a classic for the record - simple setup, everything configured by the book but it fails. I made the suggestion of re-creating the route only because it has happened (once only) before, in 2005. Call it intuition.

Ede

"Kernel panic: Aiee, killing interrupt handler!"