Description
This article describes link health monitoring which measures the health of links by sending probing signals to a server and measuring the link quality based on latency, jitter, and packet loss.
Solution
Link-monitor can be configured for status checks.
There is no option to configure link-monitor from GUI and can be configured from CLI only.
config system link-monitor
edit "1"
set addr-mode <ipv4 | ipv6>
set srcintf "Interface that receives the traffic to be monitored”
set server "IP address of the server(s) to be monitored."
set protocol <ping | tcp-echo | udp-echo | http | twamp>
set gateway-ip <Gateway IP address used to probe the server>
set source-ip “Source IP address used in packet to the server”
set interval “Detection interval in milliseconds (500 - 3600 * 1000 msec, default = 500)”
set probe-timeout “Time to wait before a probe packet is considered lost (500 - 5000 msec, default = 500)”
set failtime “Number of retry attempts before the server is considered down (1 - 10, default = 5)”
set recoverytime “Number of successful responses received before server is considered recovered (1 - 3600, default = 5)”
set probe-count “Number of most recent probes that should be used to calculate latency and jitter (5 - 30, default = 30)”
set ha-priority “HA election priority (1 - 50)”
*set update-cascade-interface “Enable/disable update cascade interface, default: enable”
[* It is advised to keep disabled as it may cause the production environment down , Make sure it's working before enabling it]
**set update-static-route “Enable/disable updating the static route, default: enable”
[** It is advised to keep disabled as it may cause the production environment down , Make sure it's working before enabling it]
set status “Enable/disable this link monitor, default: enable”
next
end
Consider a simple setup where FortiGate is probing the server 10.109.21.50 via the wan1 interface.
config system link-monitor
edit "1"
set srcintf "wan1"
set server "10.109.21.50" <- The server that is probed via WAN1 interface.
next
end
As can be seen in the output below, the status is active which means FortiGate can reach the server having IP address 10.109.21.50.
FGT # diagnose sys link-monitor status
Link Monitor: 1, Status: alive, Server num(1), Flags=0x1 init, Create time: Sun Jul 4 16:20:25 2021
Source interface: wan1 (3)
Interval: 500 ms
Peer: 10.109.21.50(10.109.21.50)
Source IP(10.109.16.223)
Route: 10.109.16.223->10.109.21.50/32, gwy(10.109.16.223)
protocol: ping, state: alive
Latency(Min/Max/Avg): 0.211/0.585/0.362 ms
Jitter(Min/Max/Avg): 0.006/0.298/0.098
Packet lost: 0.000%
Number of out-of-sequence packets: 0
Fail Times(0/5)
Packet sent: 1472, received: 1334, Sequence(sent/rcvd/exp): 1473/1473/1474
FGT # get router info routing-table all
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.109.31.254, wan1
C 10.109.16.0/20 is directly connected, wan1
When WAN1 goes down or the ping server is not reachable, the default route is removed from the routing table.
FGT # diagnose sys link-monitor status
Link Monitor: 1, Status: die, Server num(1), Flags=0x9 init, Create time: Sun Jul 4 16:20:25 2021
Source interface: wan1 (3)
Interval: 500 ms
Peer: 10.109.21.50(10.109.21.50)
Source IP(10.109.16.223)
Route: 10.109.16.223->10.109.21.50/32, gwy(10.109.16.223)
protocol: ping, state: die
Packet lost: 5.000%
Number of out-of-sequence packets: 0
Recovery times(0/5) Fail Times(1/5)
Packet sent: 2128, received: 1983, Sequence(sent/rcvd/exp): 2129/2122/2123
As can be seen in the output below, the default route is removed from the routing table due to link monitor failure.
FGT # get router info routing-table all
Routing table for VRF=0
C 10.109.16.0/20 is directly connected, wan1
When the ping server is reachable and the link monitor is restored, the default route is installed again.
Link-Monitor will remove only the Static and Policy Route, not the Directly Connected Route.
In order to prevent link-monitor from removing the default route, the following command can be used.
config router static
edit "1"
set link-monitor-exempt enable <- The default is 'disable'.
next
end
Starting FortiOS 7.0, it was added the option to disable updating policy routes when the link health monitor fails:
config system link-monitor
edit "1"
set update-policy-route disable
next
end
It is possible to add multiple servers to avoid false positives caused by monitoring a single IP address.
config system link-monitor
edit "1"
set server "8.8.8.8" "4.2.2.2" "8.8.4.4"
next
Reachability over the link is regarded as satisfactory even if only one probe server is in an 'alive' state when many probe servers are set up as described.
The logs can be viewed on FortiGate under Log & Report -> Events -> System Events.
date=2021-07-04 time=16:22:06 eventtime=1625408526938249768 tz="+0200" logid="0100022922" type="event" subtype="system" level="notice" vd="root" logdesc="Link monitor status" name="1" interface="wan1" probeproto="ping" msg="Link Monitor changed state from die to alive, protocol: ping."
date=2021-07-04 time=16:21:41 eventtime=1625408501933624821 tz="+0200" logid="0100022922" type="event" subtype="system" level="warning" vd="root" logdesc="Link monitor status" name="1" interface="wan1" probeproto="ping" msg="Link Monitor changed state from alive to die, protocol: ping."
date=2021-07-04 time=16:20:25 eventtime=1625408425881086208 tz="+0200" logid="0100022922" type="event" subtype="system" level="notice" vd="root" logdesc="Link monitor status" name="1" interface="wan1" probeproto="ping" msg="Link Monitor initial state is alive, protocol: ping"
Related document:
Config System link monitor
