First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Fortigate 60F Link Monitor

  • retag add tags

Hello guys

I have a fortigate 60F Firewall and 2 WAN Links configured with SD-WAN. A SLA Link Monitor is configured to ping a remote ip every 2 seconds with a latency threshold of 7000ms and 20 failures before it becomes unavailable. My problem is that the Forti Eventlog says "The member2(wan2) link is unreachable or miss threshold. Stop forwarding traffic. " I have created a wireshark trace directly from the fortigate and it shows that the Identifier (BE) in the ICMP field changes while the log message in the fortigate firewall is shown.

When the wan2 interface is more or less idle the BE Identifier does not change only when there is congestion for example a simple http download it changes after about 60 seconds after the download is initiated.

Does anyone know what does this BE identifier mean? I am not seeing any packet loss in the trace because the sequence numbers are intact.

image description

fly_agaric's avatar
1
fly_agaric
asked 2021-10-27 15:02:26 +0000
edit flag offensive 0 remove flag close merge delete

Comments

I have applied the display filter "not icmp.resp_in and icmp.type==8" so i guess that there is no packet loss occuring from fortigate to server 83.141.2.108.

fly_agaric's avatar fly_agaric (2021-10-27 15:16:29 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

0

The behavior of the ICMP Identifier field was improved with 17045 - icmp.ident - separate combined column for be/le.

The BE means Big Endian. The merge request above allows the Ident field to be displayed as Big Endian or Little Endian. To kick the tires on this, download Development Release (3.6.0rc1).

rfc792 INTERNET CONTROL MESSAGE PROTOCOL (pg.14) describes the Identifier and Sequence Number fields. ("... may be used ...") How they are used is very loosey goosey and varies based on how ICMP was implemented in the device stack.

Chuckc's avatar
3k
Chuckc
answered 2021-10-27 15:29:35 +0000, updated 2021-10-27 15:31:46 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Okay it says the id may be used to identify a session. So I guess when I see the id changing for fortigate firewall it might be the signal to failover to other link or something but iam asking why this is happening? I filtered the ICMP Trace with icmp.resptime >= 1400 and it only shows one ping reply packet with a response time of 1433ms which is much lower then the configured 7000ms in link monitor.

fly_agaric's avatar fly_agaric (2021-10-27 15:42:50 +0000) edit
more
  • delete

Have you tried in the Fortinet forums?

Chuckc's avatar Chuckc (2021-10-27 16:26:33 +0000) edit
more
  • delete

Yes i have opend a fortinet support case now. On the forums they say that you should reboot the fortigate firewall but it didn't help in my case.

fly_agaric's avatar fly_agaric (2021-10-27 21:39:32 +0000) edit
more
  • delete
add a comment see more comments
0

Thank you for your help. I have found the issue by excessive google search here: https://kb.fortinet.com/kb/documentLi...

There is a seperate latency option for maximum acceptable latency before the fortifgate considers the packet as lost. set probe-timeout

The default value is only 500ms so even if wireshark reports no packet loss fortigate says if icmp response time > 500 ms then consider as loss. I have changed the value now to 5000 ms its max value and now it seems to work.

fly_agaric's avatar
1
fly_agaric
answered 2021-10-28 10:35:49 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer