Ask Your Question
0

Fortigate 60F Link Monitor

asked 2021-10-27 15:02:26 +0000

fly_agaric gravatar image

Hello guys

I have a fortigate 60F Firewall and 2 WAN Links configured with SD-WAN. A SLA Link Monitor is configured to ping a remote ip every 2 seconds with a latency threshold of 7000ms and 20 failures before it becomes unavailable. My problem is that the Forti Eventlog says "The member2(wan2) link is unreachable or miss threshold. Stop forwarding traffic. " I have created a wireshark trace directly from the fortigate and it shows that the Identifier (BE) in the ICMP field changes while the log message in the fortigate firewall is shown.

When the wan2 interface is more or less idle the BE Identifier does not change only when there is congestion for example a simple http download it changes after about 60 seconds after the download is initiated.

Does anyone know what does this BE identifier mean? I am not seeing any packet loss in the trace because the sequence numbers are intact.

image description

edit retag flag offensive close merge delete

Comments

I have applied the display filter "not icmp.resp_in and icmp.type==8" so i guess that there is no packet loss occuring from fortigate to server 83.141.2.108.

fly_agaric gravatar imagefly_agaric ( 2021-10-27 15:16:29 +0000 )edit
add a comment

2 Answers

Sort by ยป oldest newest most voted
0

answered 2021-10-28 10:35:49 +0000

fly_agaric gravatar image

Thank you for your help. I have found the issue by excessive google search here: https://kb.fortinet.com/kb/documentLi...

There is a seperate latency option for maximum acceptable latency before the fortifgate considers the packet as lost. set probe-timeout

The default value is only 500ms so even if wireshark reports no packet loss fortigate says if icmp response time > 500 ms then consider as loss. I have changed the value now to 5000 ms its max value and now it seems to work.

edit flag offensive delete link more
add a comment
0

answered 2021-10-27 15:29:35 +0000

Chuckc gravatar image

updated 2021-10-27 15:31:46 +0000

The behavior of the ICMP Identifier field was improved with 17045 - icmp.ident - separate combined column for be/le.

The BE means Big Endian. The merge request above allows the Ident field to be displayed as Big Endian or Little Endian. To kick the tires on this, download Development Release (3.6.0rc1).

rfc792 INTERNET CONTROL MESSAGE PROTOCOL (pg.14) describes the Identifier and Sequence Number fields. ("... may be used ...") How they are used is very loosey goosey and varies based on how ICMP was implemented in the device stack.

edit flag offensive delete link more

Comments

Okay it says the id may be used to identify a session. So I guess when I see the id changing for fortigate firewall it might be the signal to failover to other link or something but iam asking why this is happening? I filtered the ICMP Trace with icmp.resptime >= 1400 and it only shows one ping reply packet with a response time of 1433ms which is much lower then the configured 7000ms in link monitor.

fly_agaric gravatar imagefly_agaric ( 2021-10-27 15:42:50 +0000 )edit

Have you tried in the Fortinet forums?

Chuckc gravatar imageChuckc ( 2021-10-27 16:26:33 +0000 )edit

Yes i have opend a fortinet support case now. On the forums they say that you should reboot the fortigate firewall but it didn't help in my case.

fly_agaric gravatar imagefly_agaric ( 2021-10-27 21:39:32 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2021-10-27 15:02:26 +0000

Seen: 719 times

Last updated: Oct 28 '21

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2