Published June 6, 2023, 3:20 p.m. by Courtney
Here is the second video configuring and comparing the Dead Peer Detection vs. Link Health Monitor checks for fail-over.
Note: I had to switch the webterm VMs with windows 7 so we could see the dropped packets. Please refer to the first video on how to build the topology.
https://kb.fortinet.com/kb/documentLink.do?externalID=FD40813
You may also like to read about:
hey guys welcome back to our second and
last video on this quick demo my name is
Devin Adams I am a Ford an instructor
here in Tempe Arizona and I work for
dynamic worldwide and I record these
videos for the people take my class so
in the last video we just built this
topology real quickly using the free VMs
alright so we have 240 gates and our
pseudo way in there or make-believe IP
addresses and we also just use the
wizard to essentially build up to VPN
connections using the two different wind
connections
all right between or 240 gates and where
we left off let me load up these
machines we were pinging each each
location here alright so we have not
done any failover or any testing quite
yet so that's that's gonna be our second
part here so here let's go ahead and
test the dead period detection failover
and see how long it actually takes for
it to converge alright and then we're
gonna see how we can set up our link
health monitors like we do for our land
connections without the SD win for our
VPN tunnels and maybe we'll get a better
or a cleaner what-you-call-it failover
experience so the only thing to mention
here is that I did do a primary two
primary and a secondary to secondary
connection and to make sure that the
tunnels don't stay up each one is set
with a different distance so let's
review that just super quick okay let's
go over to our main site here and I'm
going to log in and I'm gonna go down to
my monitor now you guys see here that
Toma one is up but tunnel two is is down
and if we go to our routing monitor
we'll see here that the distance 10 is
the reason why there's only one
connection in here it's not gonna try to
build up two of them so if we go over to
our static routes you will see that are
redundant connection alright we actually
set a distance loop there we go
to 15 instead
and we did it on both sides here so that
way when tunnel one goes down you know
this one will pop up and then it won't
try to stay up
it'll be forced out once the better
distance route comes back on all right
so let's go ahead though and before we
do this and I mean testing the failover
let's go to our IPSec tunnels all right
and let's go ahead and just open one up
here and let's actually take a look at
the Dead Pier detectors all right
device creation huh
that's brand new I've never seen that
before I'm still learning all these new
little things about what you call it
about the about the 63 let's go out and
convert it though
all right there we go so if you guys
notice here our dead peer detection is
turned on all right now there is a
difference between the idle in the on
demand and it's kind of interesting
because I'm looking at older
documentation right now and I'll
actually put that in the in the link and
it used to be on idle was the the
default so the on idle will go ahead and
send out dead peered detectors across
the interface I think it's every 20
seconds and then if there is three
failed packets I'll go ahead and bring
down the tunnel on demand is just a more
effective way of doing it so in other
words it only starts setting those dead
pier detections once they maybe not
receive traffic from the opposite
direction or you know also it stops
sending them during during the first act
so in other words guys it doesn't it
doesn't keep on sending them so you know
what I'll just leave it on demand so
just to see how well it works so that's
the default all right now if you guys do
want to adjust those dead period
detection timers you can go through the
CLI and you can tweak those all right at
least you know you have some flexibility
and there's no additional configuration
involved all right
so but for the time being let's go ahead
and bring down this connection and see
how fast it takes to actually kick over
the secondary tunnel so what I'm gonna
do here is I'm gonna hover over just to
make sure I got the right connection
here and if you guys notice it does say
port 1 to port 1 so I'm just gonna
delete it yeah it's it's gone so and we
should see some dropped packets here all
right yeah see how it's just kind of
frozen ok
and then if I go ahead and I hit the f5
button here and refresh my IPSec tunnels
it's still things that it's up now you
got to remember that IPSec is just it's
it's one-way both directions so let's go
and see what's happening on on this side
yeah it's it's frozen - ok see how it's
stuck at 2024 but let's log in real
quick and let's take a look at the
monitor so we'll go down to monitor all
right we'll go to our routing monitor
and as you can see the tunnel is still
up alright so those dead peer detectors
have not kicked in yet yet ok let's go
to our IPSec monitor alright and as you
can see it still still shows traffic's
flowing through it even though I
physically unplugged it
all right come on converge baby you can
do a baby I don't know why I'm saying
baby so much baby there we go
did you guys see that what tunnel 2 is
up ok that took a minute that took a
minute I mean not too too bad right guys
are we flowing again okay we're flowing
again alright so yeah about a minute
okay about a minute not too too bad
right guys not too too bad is it flowing
yeah it's flowing so let me hit f5 over
here
so guys about a minutes so if you have
the redundant connections and all is
right with the world
alright it should take about a minute
for those dead period detectors to kick
on and to make it converge okay let's go
ahead and restore the connection and see
what happens from there all right there
we go support one two port one now
here's the thing I really don't even
think that it will go back up Oh
actually it did ocean app look at that
okay both tunnels are up because here's
the thing there should only be one at a
time so let's go over to our rowdy
monitor yeah okay so there we go did I
lose any packets well I guess this
doesn't really show me using Linux
alright so but I mean tell no one came
back up fairly quickly
okay so let's go over to our other side
we'll hit a five so we're coming back to
life actually look at that both of them
up yeah so even though both of those
tunnels are up by the way guys there is
only one route now and those tunnels
might stay up until they stop passing
start passing traffic so and that's and
that's fine okay so anyways and that's
because you know the routing is done
through the session table and we'd have
to clear the session table so but
anyways it came back to life pretty
quickly so on both sides but let's go
ahead and see if we can't get it to
converge a little bit a little bit
quicker okay and we do this by setting
link monitors just like we did with our
wind connections and other videos
alright so over here and and by the way
you don't have to do these for both
connections just the primary all right
because the the link monitor will go
ahead and send ping packets instead of
dead period detectors and if there is
five fail overs and you can tweak those
two through the CLI but if there's five
lost
packets between the VPN tunnel the two
sites then it will go ahead and remove
the routes and it it sends out a ping
packet every half a second so it should
be a little bit faster than a minute
okay because that was still pretty long
so let's go ahead and configure it all
right guys ready so I'm gonna bust out
the CLI here all right I'm gonna do a
config system link monitor okay
and then we edit and then we give it a
name so I'm just gonna call this VPN one
okay and if I do a get here you can see
the different options so all we really
have to do to make this work as a couple
of things all right for starters we have
to set our source interface as our our
VPN tunnel all right - remote - okay I
don't know which one is which that's so
weird you know what let me do this
through the the putty that command line
is just making it too too funky so here
we go let's start over with our
headquarters + this will be easier for
us to see all right okay so we're gonna
do a configure system link monitor if I
do a show here there's really nothing
there so I'm gonna say edit VPN one all
right
see how there's nothing there I'll do it
gets and then we're gonna set the source
interface as two remote one alright I'm
just gonna do it on the primary okay
we'll leave it to ping before our server
it's gonna be the other four two gates
internal IP address through the VPN
tunnel so this interface right here at
port 3 so we're gonna say 10.2 hundred
1.25 for all right and then this is this
is probably the most important part
alright and that is the source IP
address because since expecting traffic
from the 1010 Network all right so you
don't want it using the way in interface
which is a public IP address this will
lease use an IP address that will
initiate
VPN tunnel all right so we're gonna make
it look like it's coming from over here
okay and then if you notice update
static route is enabled so if this goes
down five times okay ping packets it
will go ahead and pull it out all right
and if it recovers it'll go ahead and
put it back in and you can adjust those
if there's any kind of weird flapping or
anything like that but but that's it
let's go ahead and do it now on the
other side of the remote FortiGate okay
so here we go oh you know what I'll use
putty just because it's easier to see so
config system link monitor all right
well do edit VPN one now remember this
is on the remote side do a get here a
little cheat sheet we're gonna set the
source interface s to HQ one set the
server as the internal interface on that
other side so we're almost like flipping
them around and then set our source IP
address to 1021 254 all right now if
you're running any version other than 6
to 0 I can't get it work on on 6 to 0
but I get it work on any other version
of 4 TOS you can actually see your link
monitors in the GUI so if you come down
here after you configure it through the
CLI and you come down to your SD win
monitor you can actually see it as you
can see it is up it is running and even
if you want to keep a check on your VPN
tunnels health you can add jitter
latency and packet loss to the mix and
it's there I promise
pretty cool huh so our link monitor is
working there and let's go ahead and
check it on the other side
oops I got to the same here we go
yeah get out of here you're worthless
all right st way monitor and there is
the other side there too
now remember it took almost like a full
a full minute for that to converge all
right let's see how fast it converges
now using the link monitor okay
hey guys ready so I'm alright guys I
usually say I don't do you to magic but
I had to do a little you to magic so I
don't think the web term boxes were
we're working the way I wanted it to and
it was like freezing the ping packets
and I wanted to see how many packets
actually dropped somewhere converging so
I went ahead and just dropped a couple
of Windows 7 machines and configured
them off camera so just because I was
getting frustrated
all right so but I paused the video
right before we or right after we set up
the the two for two gates alright so
once again let's just go back into the
CLI here and take a look at our two
monitors before we do our test
that's that whole measure twice cut once
thing so let's do a config system link
monitor all right see that's all we need
there we're essentially saying go out to
using just the first VPN tunnel alright
ping the inside interface over here
alright and look like it's coming from
this interface here and we should have
the same on this side here
alright config system link monitor let's
do a show CA it's it's like flipped
around I mean that's that's all you have
to configure guys so let's go ahead and
actually actually test it like I said I
just did a real quick Windows 7 instead
of the web turn boxes all right
just because when we do our pings on on
a Windows machine it'll show dropped
packets so here we go ping 10 20 1 2 5 4
will do a tea so it does it constantly
so that's one direction and here it is
at the other direction alright now
remember the dead period detectors took
a full minute to converge okay
there we go all right so let's go ahead
and take a look now how many packets we
lose after we kill that that port one
alright so here we go bringing down port
one now all right there's the timeout
look at that guys one packet one packet
all right so there you guys go I mean
that's about as easy as it gets when it
comes to setting up the link monitors to
do a faster convergence in the Dead Pier
detectors alright and then don't forget
also if you go down here to monitor and
you go to your SD wham monitor you can
actually see if it's up or down
see how it's down right now let's see
how fast it comes back to life
okay all right there we go now it just
added the route back up alright so it's
probably still taking it's still
probably taking the second tunnel but
that's not a bad thing we just don't
want traffic dropping erroneously
erroneously but you gotta admit guys
that that's a whole heck a lot better
than the dead period detectors okay so
should we do it again well let's do it
again let's kill it what I mean yeah
come on guys
that's about as fast as it gets okay so
there you guys go
there is the video comparing the dead
period detectors versus the link health
monitors for the VPN and I hope someone
found that helpful out there so sorry
that that was a little bit messy towards
the end but I'll check you guys later
all right take care
2CUTURL
Created in 2013, 2CUTURL has been on the forefront of entertainment and breaking news. Our editorial staff delivers high quality articles, video, documentary and live along with multi-platform content.
© 2CUTURL. All Rights Reserved.