Remote link failover
Remote link failover (also called remote IP monitoring) is similar to interface monitoring and link health monitoring (also known as dead gateway detection). Remote IP monitoring uses link health monitors to test connectivity between the primary FortiGate-7000 and remote network devices such as a downstream router. Remote IP monitoring causes a failover if one or more of these remote IP addresses does not respond to link health checking.
In the simplified example topology shown above, the switch connected directly to the primary FortiGate-7000 is operating normally but the link on the other side of the switches fails. As a result, traffic can no longer flow between the primary ForitiGate-7000 and the Internet.
This section highlights some aspects of primary FortiGate-7000 remote link failover. For more details about how this works, see Remote link failover.
Configuring remote IP monitoring
Enter the following command to enable HA remote IP monitoring on the 1-B1/1 interface:
config system ha
set pingserver-monitor-interface 1-B1/1
set pingserver-failover-threshold 5
set pingserver-flip-timeout 120
pingserver-failover-threshold set to the default value of 5. This means a failover occurs if the link health monitor doesn’t get a response after 5 attempts.
pingserver-flip-timeout set to 120 minutes. After a failover, if HA remote IP monitoring on the new primary unit also causes a failover, the flip timeout prevents the failover from occurring until the timer runs out. Setting the
pingserver‑flip‑timeout to 120 means that remote IP monitoring can only cause a failover every 120 minutes. This flip timeout is required to prevent repeating failovers if remote IP monitoring causes a failover from all cluster units because none of the cluster units can connect to the monitored IP addresses.
Enter the following command to add a link health monitor for the 1-B1/1interface and to set HA remote IP monitoring priority for this link health monitor.
config system link-monitor
set server 192.168.20.20
set srcintf port2
set ha-priority 1
set interval 5
set failtime 2
detectserver option sets the remote IP address to monitor to 192.168.20.20.
ha-priority keyword set to the default value of 1. You only need to change this priority if you change the HA
ha-priority setting is not synchronized among the FortiGate-7000s in the HA configuration.
interval option to set the time between link health checks and use the
failtime keyword to set the number of times that a health check can fail before a failure is detected (the failover threshold). The example reduces the failover threshold to 2 but keeps the health check interval at the default value of 5.