Remote link failover

Remote link failover

Remote link failover (also called remote IP monitoring) is similar to HA port monitoring and link health monitoring (also known as dead gateway detection). Port monitoring causes a cluster to failover if a monitored primary unit interface fails or is disconnected. Remote IP monitoring uses link health monitors configured for FortiGate interfaces on the primary unit to test connectivity with IP addresses of network devices. Usually these would be IP addresses of network devices not directly connected to the cluster. For example, a downstream router. Remote IP monitoring causes a failover if one or more of these remote IP addresses does not respond to link health checking.

By being able to detect failures in network equipment not directly connected to the cluster, remote IP monitoring can be useful in a number of ways depending on your network configuration. For example, in a full mesh HA configuration, with remote IP monitoring, the cluster can detect failures in network equipment that is not directly connected to the cluster but that would interrupt traffic processed by the cluster if the equipment failed.

 

Example HA remote IP monitoring topology

In the simplified example topology shown above, the switch connected directly to the primary unit is operating normally but the link on the other side of the switches fails. As a result traffic can no longer flow between the primary unit and the Internet.

To detect this failure you can create a link health monitor for port2 that causes the primary unit to test connectivity to 192.168.20.20. If the health monitor cannot connect to 192.268.20.20 the cluster to fails over and the subordinate unit becomes the new primary unit. After the failover, the health check monitor on the new primary unit can connect to 192.168.20.20 so the failover maintains connectivity between the internal network and the Internet through the cluster.

 

To configure remote IP monitoring

1. Enter the following commands to configure HA remote monitoring for the example topology.

  • Enter the pingserver-monitor-interface keyword to enable HA remote IP monitoring on port2.
  • Leave the pingserver-failover-threshold set to the default value of 5. This means a failover occurs if the link health monitor doesn’t get a response after 5 attempts.
  • Enter the pingserver-flip-timeout keyword to set the flip timeout to 120 minutes. After a failover, if HA remote IP monitoring on the new primary unit also causes a failover, the flip timeout prevents the failover from occurring until the timer runs out. Setting the pingserver-flip-timeout to 120 means that remote IP monitoring can only cause a failover every 120 minutes. This flip timeout is required to prevent repeating failovers if remote IP monitoring causes a failover from all cluster units because none of the cluster units can connect to the monitored IP addresses.

 

config system ha

set pingserver-monitor-interface port2 set pingserver-failover-threshold 5

set pingserver-flip-timeout 120 end

2. Enter the following commands to add a link health monitor for the port2 interface and to set HA remote IP

monitoring priority for this link health monitor.

  • l  Enter the detectserver keyword to set the health monitor server IP address to 192.168.20.20.
  • l  Leave the ha-priority keyword set to the default value of 1. You only need to change this priority if you change the HA pingserver-failover-threshold. The ha-priority setting is not synchronized among cluster units.

The ha-priority setting is not synchronized among cluster units. So if you want to change the ha-priority setting you must change it separately on each cluster unit. Otherwise it will remain set to the default value of 1.

  • Use the interval keyword to set the time between link health checks and use the failtime keyword to set the number of times that a health check can fail before a failure is detected (the failover threshold). The following example reduces the failover threshold to 2 but keeps the health check interval at the default value of 5.

config system link-monitor edit ha-link-monitor

set server 192.168.20.20 set srcintf port1

set ha-priority 1 set interval 5

set failtime 2 end

This entry was posted in FortiOS 5.4 Handbook and tagged on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

5 thoughts on “Remote link failover

    1. Mike Post author

      You can configure link monitor on local connected interfaces. For instance, the wan ports are connected interfaces. You configure link monitor to monitor the wan port by pinging 8.8.8.8 or something of the sort and from there it removes the static route if necessary (and configured to do so)

      Reply
  1. Joe

    Hi Mike! I like your post, but I miss the Forti version you are talking about. In my case, I´d like to do WAN/ISP failover and I find contradictory messages. What´s the difference between “link-monitor” and “health-check”?
    I was advised to configure “link-monitor” in the past, but now I find that official documentation talks about “health-check”:
    http://cookbook.fortinet.com/redundant-internet-connections-54/

    My aim is to remove all the static routes associated with the WAN interface from the route table when ping to 8.8.8.8 fails… including the VPN static routes, something that I´m afraid it´s not happening with link-monitor.

    Thanks in advance!

    Reply
    1. Mike Post author

      Any version running 5.4.0 or newer will reference it as a link monitor. “Config system link-monitor” to be exact to hit the right spot. Let me know if you have any other questions!

      Reply
      1. Joe

        Thanks! Good to know (although that link is for 5.4 supposedly). At least I don´t have to change my current configurations, as I´ve used “link-monitor”. The other issue I´m having is that “link-monitor” for WAN interface does not remove the VPN static route of the VPNs associated to that WAN interface even though Fortinet support told me it would. I´m asking them how to achieve that, as I would like to have a good VPN failover config (and I´m afraid that the default DPD behavior does not help at all).

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.