Excuse me for my ignorance but I am not a huge Fortinet guy but with that being said, the previous admin here had configured 2 WAN connection(one primary, one failover). I don’t think he set it up ‘properly’ because I do not see the ‘Health Link Monitor’ set up for it(just reading the Fortinet documentation). Just looks like he had plugged in the 2nd WAN link to an interface, configured it with an IP and maybe set a static route. We have tested the WAN failover and it does indeed work.
I am currently trying to setup our remote sites(which connect to the primary WAN over VPN tunnel) with a secondary tunnel which goes to our corp backup and when I complete the tunnel, I get disconnected from the tunnel. I then have to go into the firewall via WAN IP(not internal IP because VPN is down), kill the 2nd tunnel, after which the primary tunnel comes back online. Does anyone know what might be causing this? My guess is the administrative distance has to be adjusted on the tunnel, maybe? If it does need to be adjusted, would it be on the corporate side, remote side or both? We do have a support contract with Fortinet but I don’t like calling them as I prefer to try and get some help here first.
Thanks!
You are right! Create both tunnels, policies as wish, and the static routes with different distances (higher on failover tunnel).
Than, create a link monitor (CLI only) on the first tunnel only.
This video should help you
Yeah admin distance. Or. Sdwan is the newest way to do it. And you can use sdwan rules along with performance sla. This way you have one route and one policy. But in the sdwan rules you engineer your traffic paths. You could use the metric that prefers one link over the secondary unless the primary is down.
I would need to see the configuration but in the cli you can set a VPN to sit in standby until the one it’s monitoring fails to come up. Thats probably what’s going on.
This was one of the hardest things to wrap my head around when starting to manage FortiGates.
You could have both tunnels up at the same time by configuring the static routes on the Remote Firewall:
Static routes:
internet: Distance 10 Priority 0
Primary VPN tunnel: Distance 10 Priority 0
Backup VPN tunnel: Distance 10 Priority 5 (as long as the priority is higher than the other tunnel it will only be used if the primary tunnel goes down.) If the distance was set higher then 10, it would not be able to be used until the primary tunnel went down.
Then under the Phase 2 / Advanced: Enable Auto-negotiate for both tunnels to stay connected.
If both sides have two links, make a mesh of 4 tunnels.
I have customers with dual WAN setup with tunnels between them, and I prefer Interface IPSec tunnels to Policy ones.
As others have mentioned, set the priority you want for the route in the Static Route entries.
Surely they do link monitor in the cli ( conf sys link-monitor), and maybe the wan have prioritys in the interface (in case you use dhcp for wan address) or in the static route, same for your tunnels, check and come back if you need more details
Awesome!! Thanks for this