Technical Tip: Additional time is taken to detect a link-monitor failure just after HA-failover.

Mono_FTNT · ‎12-21-2023

Description

This article describes that if a link-monitor failure occurs just after HA failover, it takes the configured failtime plus 10sec to detect the link-monitor failure.

Scope

FortiGate v7.0.11/7.2.5/7.4.0 or later version.

Solution

For example, a link-monitor has been configured on HA as follows:

In this situation, if Router-1 goes down, the link-monitor failure will be detected by 4sec ('interval'*'failtime'+'probe-timeout'),

Here is the output of link-monitor's debug log

2023-12-12 23:34:06 lnkmtd::ping_send_msg(409): ---> ping 10.10.10.254 seq_no=13447, icmp id=1, send 20 bytes
2023-12-12 23:34:06 lnkmtd::monitor_proto_peer_send_request(605): ---> 1(10.10.10.254:ping) send probe packet, fail count(0)
2023-12-12 23:34:06 lnkmtd::ping_do_addr_up(116): ---> 1->10.10.10.254(10.10.10.254), rcvd
2023-12-12 23:34:06 lnkmtd::monitor_peer_recv(1992): ---> 1 send time 1702391646s 118905us, revd time 1702391646s 119003us
2023-12-12 23:34:07 lnkmtd::ping_send_msg(409): ---> ping 10.10.10.254 seq_no=13448, icmp id=1, send 20 bytes
2023-12-12 23:34:07 lnkmtd::monitor_proto_peer_send_request(605): ---> 1(10.10.10.254:ping) send probe packet, fail count(0)
2023-12-12 23:34:08 lnkmtd::ping_send_msg(409): ---> ping 10.10.10.254 seq_no=13449, icmp id=1, send 20 bytes
2023-12-12 23:34:08 lnkmtd::monitor_proto_peer_send_request(605): ---> 1(10.10.10.254:ping) send probe packet, fail count(1)
2023-12-12 23:34:09 lnkmtd::ping_send_msg(409): ---> ping 10.10.10.254 seq_no=13450, icmp id=1, send 20 bytes
2023-12-12 23:34:09 lnkmtd::monitor_proto_peer_send_request(605): ---> 1(10.10.10.254:ping) send probe packet, fail count(2)
2023-12-12 23:34:10 lnkmtd::monitor_ppeer_fail(1682): ---> 1(10.10.10.254 ping) is dead.

If L2_switch-1 goes down then HA failover occurs, and the link-monitor failure is detected by 14sec.

Here is the output of link-monitor's debug log

2023-12-12 23:36:11 ha_sync_handle_reset()-471: num_peers=1, local_ip=169.254.0.1
2023-12-12 23:36:11 lnkmtd::ping_send_msg(409): ---> ping 10.10.10.254 seq_no=2215, icmp id=709, send 20 bytes
2023-12-12 23:36:11 lnkmtd::monitor_proto_peer_send_request(605): ---> 1(10.10.10.254:ping) send probe packet, fail count(0)
2023-12-12 23:36:12 lnkmtd::ping_send_msg(409): ---> ping 10.10.10.254 seq_no=2216, icmp id=709, send 20 bytes
2023-12-12 23:36:12 lnkmtd::monitor_proto_peer_send_request(605): ---> 1(10.10.10.254:ping) send probe packet, fail count(0)

<SNIP>
2023-12-12 23:36:20 lnkmtd::ping_send_msg(409): ---> ping 10.10.10.254 seq_no=2224, icmp id=709, send 20 bytes
2023-12-12 23:36:20 lnkmtd::monitor_proto_peer_send_request(605): ---> 1(10.10.10.254:ping) send probe packet, fail count(0)
2023-12-12 23:36:21 lnkmtd::ping_send_msg(409): ---> ping 10.10.10.254 seq_no=2225, icmp id=709, send 20 bytes
2023-12-12 23:36:21 lnkmtd::monitor_proto_peer_send_request(605): ---> 1(10.10.10.254:ping) send probe packet, fail count(0)
2023-12-12 23:36:22 lnkmtd::ping_send_msg(409): ---> ping 10.10.10.254 seq_no=2226, icmp id=709, send 20 bytes
2023-12-12 23:36:22 lnkmtd::monitor_proto_peer_send_request(605): ---> 1(10.10.10.254:ping) send probe packet, fail count(1)
2023-12-12 23:36:23 lnkmtd::ping_send_msg(409): ---> ping 10.10.10.254 seq_no=2227, icmp id=709, send 20 bytes
2023-12-12 23:36:23 lnkmtd::monitor_proto_peer_send_request(605): ---> 1(10.10.10.254:ping) send probe packet, fail count(2)
2023-12-12 23:36:24 lnkmtd::monitor_ppeer_fail(1682): ---> 1(10.10.10.254 ping) is dead.

This is the side effect of a fix in v7.0.11/7.2.5/7.4.0 and not a bug.