Fortinet black logo

Handbook

Configuring link health monitoring

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:370572
Download PDF

Configuring link health monitoring

Link health monitoring measures the health of links that are connected to SD-WAN member interfaces. The FortiGate checks the status of each SD-WAN member interface that you include in a Performance SLA, by sending probing signals through each member link to a server and measuring the link quality based on latency, jitter, and packet loss.

You can configure up to two servers to test the health of SD-WAN member interfaces. This helps to ensure that if the health checks identify connectivity issues, the interface is at fault and not the server. If either server meets the link status criteria, the link is good. The FortiGate removes an interface from an SD-WAN link load balancing group if its connectivity is down.

The FortiGate uses the first server that you configure in the server list for the health check. If that server is unavailable, the FortiGate uses the second server and continues to use the second server while it’s available. If the second server isn't available, the FortiGate returns to using the first server if it's available. If both servers are unavailable, the health check fails.

You can configure the protocol for status checks. In the GUI, you can configure Ping and HTTP. In the CLI, you can configure Ping, HTTP, TCP-Echo, UDP-Echo, and Two-Way Active Measurement Protocol (TWAMP).

Configure link health monitoring – GUI
  1. Go to Network > Performance SLA.
  2. Select Create New.
  3. In the Name field, enter a name for the SLA.
  4. In the Protocol field, select the protocol that you want to use for status checks:
    • Ping: PING link monitor
    • HTTP: HTTP-GET monitor
  5. In the Server field, enter the IP addresses of up to two servers that you want to use to test the health of each SD-WAN member interface. You must use servers that all SD-WAN members in the Performance SLA can reach.
  6. In the Participants field, select +. In the Select Entries window, select one or more SD-WAN interface members that you want this SLA to apply to. Select Close.
  7. In the Link Status section, set the following options:
  8. GUI option

    Description

    Check interval

    Set the interval at which you want the FortiGate to check the interface. The range is 1 to 3600 seconds. The default is 1.

    Failures before inactive

    Set the number of failed status checks that are allowed before the FortiGate removes the interface from SD-WAN load balancing groups. The range is 1 to 10. The default is 5.

    This setting helps prevent flapping, where the system continuously transfers traffic back and forth between links.

    Restore link after

    Set the number of successful status checks before the FortiGate restores the interface to SD-WAN load balancing groups. The range is 1 to 10. The default is 5.

    This setting helps prevent flapping, where the system continuously transfers traffic back and forth between links.

  9. In the Actions when Inactive section, specify what happens when the WAN link is inactive. Enable Update static route if you want to disable static routes for inactive interfaces and restore routes when interfaces are restored.
  10. Select OK.

You can view link quality measurements on the Performance SLA page. The table displays the health checks that you configured, along with information about each health check. The values in the Packet Loss, Latency, and Jitter columns apply to the server that the FortiGate is currently using to test the health of the SD-WAN member interfaces. The green (up) arrows indicate only that the server is responding to the health checks, regardless of the packet loss, latency, and jitter values, and don’t indicate that the health checks are being met.

Configure link health monitoring – CLI

config system virtual-wan-link

config health-check

edit <health_check_name>

set addr-mode {ipv4 | ipv6}

set server <server1_IP_address> <server2_IP_address>

set members <seqence_numbers>

set protocol {ping | ping6 | tcp-echo | udp-echo | http | twamp}

set interval <seconds>

set failtime <number_of_failures>

set recoverytime <number_of_successes>

set update-static-route {enable | disable}

next

end

end

where you set the following variables:

CLI option

Description

Additional configuration steps

protocol

The protocol to use for status checks

ping6 is the only protocol available for IPv6 health checks

If you set this to http, also set these options for http:

set port <port_number>

set http-get <url>

set http-match <response_string>

If you set this to twamp, also set these options for twamp:

set port <port_number>

set security mode {none | authentication}

set password <password>

set packet-size <size>

interval

This is the same as the Check interval option in the GUI.

None

failtime

This is the same as the Failures before inactive option in the GUI.

None

recoverytime

This is the same as the Restore link after option in the GUI

None

Configuring link health monitoring

Link health monitoring measures the health of links that are connected to SD-WAN member interfaces. The FortiGate checks the status of each SD-WAN member interface that you include in a Performance SLA, by sending probing signals through each member link to a server and measuring the link quality based on latency, jitter, and packet loss.

You can configure up to two servers to test the health of SD-WAN member interfaces. This helps to ensure that if the health checks identify connectivity issues, the interface is at fault and not the server. If either server meets the link status criteria, the link is good. The FortiGate removes an interface from an SD-WAN link load balancing group if its connectivity is down.

The FortiGate uses the first server that you configure in the server list for the health check. If that server is unavailable, the FortiGate uses the second server and continues to use the second server while it’s available. If the second server isn't available, the FortiGate returns to using the first server if it's available. If both servers are unavailable, the health check fails.

You can configure the protocol for status checks. In the GUI, you can configure Ping and HTTP. In the CLI, you can configure Ping, HTTP, TCP-Echo, UDP-Echo, and Two-Way Active Measurement Protocol (TWAMP).

Configure link health monitoring – GUI
  1. Go to Network > Performance SLA.
  2. Select Create New.
  3. In the Name field, enter a name for the SLA.
  4. In the Protocol field, select the protocol that you want to use for status checks:
    • Ping: PING link monitor
    • HTTP: HTTP-GET monitor
  5. In the Server field, enter the IP addresses of up to two servers that you want to use to test the health of each SD-WAN member interface. You must use servers that all SD-WAN members in the Performance SLA can reach.
  6. In the Participants field, select +. In the Select Entries window, select one or more SD-WAN interface members that you want this SLA to apply to. Select Close.
  7. In the Link Status section, set the following options:
  8. GUI option

    Description

    Check interval

    Set the interval at which you want the FortiGate to check the interface. The range is 1 to 3600 seconds. The default is 1.

    Failures before inactive

    Set the number of failed status checks that are allowed before the FortiGate removes the interface from SD-WAN load balancing groups. The range is 1 to 10. The default is 5.

    This setting helps prevent flapping, where the system continuously transfers traffic back and forth between links.

    Restore link after

    Set the number of successful status checks before the FortiGate restores the interface to SD-WAN load balancing groups. The range is 1 to 10. The default is 5.

    This setting helps prevent flapping, where the system continuously transfers traffic back and forth between links.

  9. In the Actions when Inactive section, specify what happens when the WAN link is inactive. Enable Update static route if you want to disable static routes for inactive interfaces and restore routes when interfaces are restored.
  10. Select OK.

You can view link quality measurements on the Performance SLA page. The table displays the health checks that you configured, along with information about each health check. The values in the Packet Loss, Latency, and Jitter columns apply to the server that the FortiGate is currently using to test the health of the SD-WAN member interfaces. The green (up) arrows indicate only that the server is responding to the health checks, regardless of the packet loss, latency, and jitter values, and don’t indicate that the health checks are being met.

Configure link health monitoring – CLI

config system virtual-wan-link

config health-check

edit <health_check_name>

set addr-mode {ipv4 | ipv6}

set server <server1_IP_address> <server2_IP_address>

set members <seqence_numbers>

set protocol {ping | ping6 | tcp-echo | udp-echo | http | twamp}

set interval <seconds>

set failtime <number_of_failures>

set recoverytime <number_of_successes>

set update-static-route {enable | disable}

next

end

end

where you set the following variables:

CLI option

Description

Additional configuration steps

protocol

The protocol to use for status checks

ping6 is the only protocol available for IPv6 health checks

If you set this to http, also set these options for http:

set port <port_number>

set http-get <url>

set http-match <response_string>

If you set this to twamp, also set these options for twamp:

set port <port_number>

set security mode {none | authentication}

set password <password>

set packet-size <size>

interval

This is the same as the Check interval option in the GUI.

None

failtime

This is the same as the Failures before inactive option in the GUI.

None

recoverytime

This is the same as the Restore link after option in the GUI

None