This is a work in progress, I will be... Full Story
By Manny Fernandez
May 22, 2024
FortiOS Link-Monitor Gotcha
When using link-monitor on FortiGate, there is a gotcha you may run into. Link-monitor will allow you to ping ( although you can use any of these: ping, tcp-echo, udp-echo, http or twamp). FortiGate will ping the server from the defined source interface and you can define how many lost pings in a particular time constitutes down and how many successful pings will be considered as up. Lets discuss it.
FortiGate on the left is front-ending the 10.2.0.0/16 network.
It has a static route to the 10.200.0.0/16 off of the router connected to FortiGate on the right. We want to track the 10.200.0.40 which is a server in the datacenter.
If track fails, we want to remove the route from the RIB.
We set up a link monitor on the left FortiGate to ping 10.200.0.40 from the 10.255.254.1 IP address (port1)
We want to update the routing table if it fails
Requirements
We need to continue to ping 10.1.0.0/16 from 10.2.0.0/16 and vice versa regardless of the track
config system link-monitor
edit "SLA1"
set srcintf "port1"
set server "10.200.0.40"
set source-ip 10.255.254.1
next
end
So the above link monitor will give us the outcome we are looking for except for the requirement. In FortiOS, if you have an interface participating in link-monitor and the link-monitor fails, that interface will be treated as down and all static routes associated with it, will be removed from the RIB. So in this scenario above, we would lose all routes to 10.1.0.0/16 which is across the 10.255.254.0/30 subnet (WAN).
Thankfully, there is a way to get the required outcome as well as one that includes the tracking of the remote IP address to ensure reachability.
config system link-monitor
edit "SLA1"
set srcintf "port1"
set server "10.200.0.40"
set route "10.200.0.0/16"
set source-ip 10.255.254.1
next
end
In the above, modified version of link-monitor, we can see that there is an additional line, it is the set route "10.200.0.0/16" . What this tells the FortiGate is, if you lose the ping to the server we are tracking, I want to remove the route specified in this line only.
I hope this helps you out of a bind. It did me.
Recent posts
-
-
I have been playing with the free version of... Full Story
-
In my day job, I am on a lot... Full Story