March 28, 2024

2. Configuring and Testing Link Health Monitor for Redundant VPN Connections on FortiGate 6.2



Published June 6, 2023, 3:20 p.m. by Courtney


Here is the second video configuring and comparing the Dead Peer Detection vs. Link Health Monitor checks for fail-over.

Note: I had to switch the webterm VMs with windows 7 so we could see the dropped packets. Please refer to the first video on how to build the topology.

Here is the documentation regarding the DPD:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD40813

You may also like to read about:



hey guys welcome back to our second and

last video on this quick demo my name is

Devin Adams I am a Ford an instructor

here in Tempe Arizona and I work for

dynamic worldwide and I record these

videos for the people take my class so

in the last video we just built this

topology real quickly using the free VMs

alright so we have 240 gates and our

pseudo way in there or make-believe IP

addresses and we also just use the

wizard to essentially build up to VPN

connections using the two different wind

connections

all right between or 240 gates and where

we left off let me load up these

machines we were pinging each each

location here alright so we have not

done any failover or any testing quite

yet so that's that's gonna be our second

part here so here let's go ahead and

test the dead period detection failover

and see how long it actually takes for

it to converge alright and then we're

gonna see how we can set up our link

health monitors like we do for our land

connections without the SD win for our

VPN tunnels and maybe we'll get a better

or a cleaner what-you-call-it failover

experience so the only thing to mention

here is that I did do a primary two

primary and a secondary to secondary

connection and to make sure that the

tunnels don't stay up each one is set

with a different distance so let's

review that just super quick okay let's

go over to our main site here and I'm

going to log in and I'm gonna go down to

my monitor now you guys see here that

Toma one is up but tunnel two is is down

and if we go to our routing monitor

we'll see here that the distance 10 is

the reason why there's only one

connection in here it's not gonna try to

build up two of them so if we go over to

our static routes you will see that are

redundant connection alright we actually

set a distance loop there we go

to 15 instead

and we did it on both sides here so that

way when tunnel one goes down you know

this one will pop up and then it won't

try to stay up

it'll be forced out once the better

distance route comes back on all right

so let's go ahead though and before we

do this and I mean testing the failover

let's go to our IPSec tunnels all right

and let's go ahead and just open one up

here and let's actually take a look at

the Dead Pier detectors all right

device creation huh

that's brand new I've never seen that

before I'm still learning all these new

little things about what you call it

about the about the 63 let's go out and

convert it though

all right there we go so if you guys

notice here our dead peer detection is

turned on all right now there is a

difference between the idle in the on

demand and it's kind of interesting

because I'm looking at older

documentation right now and I'll

actually put that in the in the link and

it used to be on idle was the the

default so the on idle will go ahead and

send out dead peered detectors across

the interface I think it's every 20

seconds and then if there is three

failed packets I'll go ahead and bring

down the tunnel on demand is just a more

effective way of doing it so in other

words it only starts setting those dead

pier detections once they maybe not

receive traffic from the opposite

direction or you know also it stops

sending them during during the first act

so in other words guys it doesn't it

doesn't keep on sending them so you know

what I'll just leave it on demand so

just to see how well it works so that's

the default all right now if you guys do

want to adjust those dead period

detection timers you can go through the

CLI and you can tweak those all right at

least you know you have some flexibility

and there's no additional configuration

involved all right

so but for the time being let's go ahead

and bring down this connection and see

how fast it takes to actually kick over

the secondary tunnel so what I'm gonna

do here is I'm gonna hover over just to

make sure I got the right connection

here and if you guys notice it does say

port 1 to port 1 so I'm just gonna

delete it yeah it's it's gone so and we

should see some dropped packets here all

right yeah see how it's just kind of

frozen ok

and then if I go ahead and I hit the f5

button here and refresh my IPSec tunnels

it's still things that it's up now you

got to remember that IPSec is just it's

it's one-way both directions so let's go

and see what's happening on on this side

yeah it's it's frozen - ok see how it's

stuck at 2024 but let's log in real

quick and let's take a look at the

monitor so we'll go down to monitor all

right we'll go to our routing monitor

and as you can see the tunnel is still

up alright so those dead peer detectors

have not kicked in yet yet ok let's go

to our IPSec monitor alright and as you

can see it still still shows traffic's

flowing through it even though I

physically unplugged it

all right come on converge baby you can

do a baby I don't know why I'm saying

baby so much baby there we go

did you guys see that what tunnel 2 is

up ok that took a minute that took a

minute I mean not too too bad right guys

are we flowing again okay we're flowing

again alright so yeah about a minute

okay about a minute not too too bad

right guys not too too bad is it flowing

yeah it's flowing so let me hit f5 over

here

so guys about a minutes so if you have

the redundant connections and all is

right with the world

alright it should take about a minute

for those dead period detectors to kick

on and to make it converge okay let's go

ahead and restore the connection and see

what happens from there all right there

we go support one two port one now

here's the thing I really don't even

think that it will go back up Oh

actually it did ocean app look at that

okay both tunnels are up because here's

the thing there should only be one at a

time so let's go over to our rowdy

monitor yeah okay so there we go did I

lose any packets well I guess this

doesn't really show me using Linux

alright so but I mean tell no one came

back up fairly quickly

okay so let's go over to our other side

we'll hit a five so we're coming back to

life actually look at that both of them

up yeah so even though both of those

tunnels are up by the way guys there is

only one route now and those tunnels

might stay up until they stop passing

start passing traffic so and that's and

that's fine okay so anyways and that's

because you know the routing is done

through the session table and we'd have

to clear the session table so but

anyways it came back to life pretty

quickly so on both sides but let's go

ahead and see if we can't get it to

converge a little bit a little bit

quicker okay and we do this by setting

link monitors just like we did with our

wind connections and other videos

alright so over here and and by the way

you don't have to do these for both

connections just the primary all right

because the the link monitor will go

ahead and send ping packets instead of

dead period detectors and if there is

five fail overs and you can tweak those

two through the CLI but if there's five

lost

packets between the VPN tunnel the two

sites then it will go ahead and remove

the routes and it it sends out a ping

packet every half a second so it should

be a little bit faster than a minute

okay because that was still pretty long

so let's go ahead and configure it all

right guys ready so I'm gonna bust out

the CLI here all right I'm gonna do a

config system link monitor okay

and then we edit and then we give it a

name so I'm just gonna call this VPN one

okay and if I do a get here you can see

the different options so all we really

have to do to make this work as a couple

of things all right for starters we have

to set our source interface as our our

VPN tunnel all right - remote - okay I

don't know which one is which that's so

weird you know what let me do this

through the the putty that command line

is just making it too too funky so here

we go let's start over with our

headquarters + this will be easier for

us to see all right okay so we're gonna

do a configure system link monitor if I

do a show here there's really nothing

there so I'm gonna say edit VPN one all

right

see how there's nothing there I'll do it

gets and then we're gonna set the source

interface as two remote one alright I'm

just gonna do it on the primary okay

we'll leave it to ping before our server

it's gonna be the other four two gates

internal IP address through the VPN

tunnel so this interface right here at

port 3 so we're gonna say 10.2 hundred

1.25 for all right and then this is this

is probably the most important part

alright and that is the source IP

address because since expecting traffic

from the 1010 Network all right so you

don't want it using the way in interface

which is a public IP address this will

lease use an IP address that will

initiate

VPN tunnel all right so we're gonna make

it look like it's coming from over here

okay and then if you notice update

static route is enabled so if this goes

down five times okay ping packets it

will go ahead and pull it out all right

and if it recovers it'll go ahead and

put it back in and you can adjust those

if there's any kind of weird flapping or

anything like that but but that's it

let's go ahead and do it now on the

other side of the remote FortiGate okay

so here we go oh you know what I'll use

putty just because it's easier to see so

config system link monitor all right

well do edit VPN one now remember this

is on the remote side do a get here a

little cheat sheet we're gonna set the

source interface s to HQ one set the

server as the internal interface on that

other side so we're almost like flipping

them around and then set our source IP

address to 1021 254 all right now if

you're running any version other than 6

to 0 I can't get it work on on 6 to 0

but I get it work on any other version

of 4 TOS you can actually see your link

monitors in the GUI so if you come down

here after you configure it through the

CLI and you come down to your SD win

monitor you can actually see it as you

can see it is up it is running and even

if you want to keep a check on your VPN

tunnels health you can add jitter

latency and packet loss to the mix and

it's there I promise

pretty cool huh so our link monitor is

working there and let's go ahead and

check it on the other side

oops I got to the same here we go

yeah get out of here you're worthless

all right st way monitor and there is

the other side there too

now remember it took almost like a full

a full minute for that to converge all

right let's see how fast it converges

now using the link monitor okay

hey guys ready so I'm alright guys I

usually say I don't do you to magic but

I had to do a little you to magic so I

don't think the web term boxes were

we're working the way I wanted it to and

it was like freezing the ping packets

and I wanted to see how many packets

actually dropped somewhere converging so

I went ahead and just dropped a couple

of Windows 7 machines and configured

them off camera so just because I was

getting frustrated

all right so but I paused the video

right before we or right after we set up

the the two for two gates alright so

once again let's just go back into the

CLI here and take a look at our two

monitors before we do our test

that's that whole measure twice cut once

thing so let's do a config system link

monitor all right see that's all we need

there we're essentially saying go out to

using just the first VPN tunnel alright

ping the inside interface over here

alright and look like it's coming from

this interface here and we should have

the same on this side here

alright config system link monitor let's

do a show CA it's it's like flipped

around I mean that's that's all you have

to configure guys so let's go ahead and

actually actually test it like I said I

just did a real quick Windows 7 instead

of the web turn boxes all right

just because when we do our pings on on

a Windows machine it'll show dropped

packets so here we go ping 10 20 1 2 5 4

will do a tea so it does it constantly

so that's one direction and here it is

at the other direction alright now

remember the dead period detectors took

a full minute to converge okay

there we go all right so let's go ahead

and take a look now how many packets we

lose after we kill that that port one

alright so here we go bringing down port

one now all right there's the timeout

look at that guys one packet one packet

all right so there you guys go I mean

that's about as easy as it gets when it

comes to setting up the link monitors to

do a faster convergence in the Dead Pier

detectors alright and then don't forget

also if you go down here to monitor and

you go to your SD wham monitor you can

actually see if it's up or down

see how it's down right now let's see

how fast it comes back to life

okay all right there we go now it just

added the route back up alright so it's

probably still taking it's still

probably taking the second tunnel but

that's not a bad thing we just don't

want traffic dropping erroneously

erroneously but you gotta admit guys

that that's a whole heck a lot better

than the dead period detectors okay so

should we do it again well let's do it

again let's kill it what I mean yeah

come on guys

that's about as fast as it gets okay so

there you guys go

there is the video comparing the dead

period detectors versus the link health

monitors for the VPN and I hope someone

found that helpful out there so sorry

that that was a little bit messy towards

the end but I'll check you guys later

all right take care

Resources:

Similar videos

2CUTURL

Created in 2013, 2CUTURL has been on the forefront of entertainment and breaking news. Our editorial staff delivers high quality articles, video, documentary and live along with multi-platform content.

© 2CUTURL. All Rights Reserved.