Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 7.6.5 Administration Guide
    7.6.5
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    Allow SD-WAN hubs to suppress BGP routes when all links to a spoke are down New

    Allow SD-WAN hubs to suppress BGP routes when all links to a spoke are down New

    The feature enables hubs to detect when a spoke is dead (no SLA probes over a configurable duration) and suppress routes to that spoke. A BGP route-map-out is used to match this suppression status, and adjusts the multiple exit discriminator (MED) to inform BGP peers of the hub to direct traffic to the spoke through another hub.

    config system sdwan
    config health-check
        edit <name>
            set update-bgp-route {enable | disable}
        next
    end
end
    config router route-map
    edit <name>
        config rule
            edit 1
                set match-suppress {enable | disable}
            next
        end
    next
end
    config router bgp
    config neighbor
        edit <BGP peer IP>
            set attribute-unchanged med
            set route-map-out "suppress_dead_spoke"
        next
    end
end

    Example

    In this example:

    • Spoke-1 has two tunnels, H1_T11 and H1_T22, to Hub-1 and traffic from the external network to spoke-1 normally goes through Hub-1.

    • Spoke-1 has two other tunnels, H2_T11 and H2_T22, to Hub-2 and, if all links and tunnels between Spoke-1 and Hub-1 fail, it is expected that traffic from the external network to Spoke-1 will switchover to Hub-2 by advertising Spoke-1's routes with a higher MED from Hub-1 to the external network.

    To configure Spoke-1:
    config system sdwan
    set status enable
    config zone
        edit "virtual-wan-link"
        next
        edit "overlay"
        next
        ...
    end
    config members
        ...
        edit 4
            set interface "H1_T11"
            set zone "overlay"
            set source 172.31.0.65
            ...
        next
        edit 5
            set interface "H1_T22"
            set zone "overlay"
            set source 172.31.0.65
            ...
        next
        ...
        edit 7
            set interface "H2_T11"
            set zone "overlay"
            set source 172.31.0.65
            ...
        next
        edit 8
            set interface "H2_T22"
            set zone "overlay"
            set source 172.31.0.65
            ...
        next
        ...
    end
    config health-check
        edit "HUB"
            set server "172.31.100.100"
            set embed-measured-health enable
            set sla-id-redistribute 1
            ...
            set members 4 5 7 8
            config sla
                edit 1
                    set link-cost-factor latency
                    set latency-threshold 100
                next
            end
        next
    end
end
    To configure Hub-1:

    1. Configure SD-WAN:

      As long as one probe packet on a member is not received, the member will be considered as dead. If all members to Spoke-1 are dead, then Spoke-1's routes will be flagged as suppressed. failtime can be used to control convergence time.

      config system sdwan
    set status enable
    config zone
        edit "virtual-wan-link"
        next
        ...
        edit "overlay"
        next
    end
    config members
        edit 1
            set interface "EDGE_T1"
            set zone "overlay"
        next
        edit 2
            set interface "EDGE_T2"
            set zone "overlay"
        next
        ...
    end
    config health-check
        edit "rmt"
            set detect-mode remote
            set remote-probe-timeout 1000            
            set failtime 1
            set recoverytime 1
            set update-bgp-route enable
            set sla-id-redistribute 1
            set members 1 2
            config sla
                edit 1
                    set link-cost-factor remote
                    ...
                next
            end
        next
    end
end

    2. Configure route maps:

      Suppressed routes are set with an MED of 999, and normal routes with an MED of 10.

      config router route-map
    edit "ACTION_SUPPRESS"
        config rule
            edit 1
                set match-suppress enable
                set set-metric 999
            next
            edit 2
                set set-metric 10
            next
        end
    next
end

    3. Configure BGP settings:

      config router bgp
   ...
    config neighbor
        edit "172.31.0.129"
            ...
            set attribute-unchanged med
            ...
            set route-map-out "ACTION_SUPPRESS"
        next
    end
end
    To configure Hub-2:

    1. Configure SD-WAN:

      config system sdwan
    set status enable
    config zone
        edit "virtual-wan-link"
        next
        ...
        edit "overlay"
        next
    end
    config members
        edit 1
            set interface "EDGE_T1"
            set zone "overlay"
        next
        edit 2
            set interface "EDGE_T2"
            set zone "overlay"
        next
        ...
    end
    config health-check
        edit "rmt"
            set detect-mode remote
            set remote-probe-timeout 1000
            set failtime 1
            set recoverytime 1
            set update-bgp-route enable
            set sla-id-redistribute 1
            set members 1 2
            config sla
                edit 1
                    set link-cost-factor remote
                    ...
                next
            end
        next
    end
end

    2. Configure route maps:

      Suppressed routes are set with an MED of 999, and normal routes with an MED of 20.

      config router route-map
    edit "ACTION_SUPPRESS"
        config rule
            edit 1
                set match-suppress enable
                set set-metric 999
            next
            edit 2
                set set-metric 20
            next
        end
    next
end

    3. Configure BGP settings:

      config router bgp
   ...
    config neighbor
        edit "172.31.0.129"
            ...
            set attribute-unchanged med
            ...
            set route-map-out "ACTION_SUPPRESS"
        next
    end
end
    To test the configuration:

    1. The SLA status detected by the remote health-check on Hub-1 indicates that the two connections between Hub-1 and Spoke-1 are alive:

      # diagnose sys sdwan  health-check remote
Remote Health Check: rmt(2)
  Passive remote statistics of EDGE_T2(46):
EDGE_T2_0(10.0.0.14): timestamp=10-15 15:59:46.694, src=172.31.0.65, latency=0.233, jitter=0.010, pktloss=0.000%, mos=4.404, SLA id=1(pass), rmt_ver=2, rmt_sla=in, rmt_prio=150, last_sla_change=10-15 15:06:36.610
Remote Health Check: rmt(1)
  Passive remote statistics of EDGE_T1(45):
EDGE_T1_0(172.31.0.65): timestamp=10-15 15:59:46.694, src=172.31.0.65, latency=0.276, jitter=0.029, pktloss=0.000%, mos=4.404, SLA id=1(pass), rmt_ver=2, rmt_sla=in, rmt_prio=100, last_sla_change=10-15 15:06:36.609

DC1_A_FGT (root) (Interim)# diagnose sys link-monitor dynamic-bgp-peers
172.31.0.65(0): alive-count=2, total=2, route-suppressed=0, last_route_change=10-15 15:06:33.999

    2. The external peer receives Spoke-1's routes from Hub-1 and Hub-2.

      The route received from Hub-1 is set as MED 10 and preferred. The route received from Hub-2 is set as MED 20.

      # get router info bgp network 10.0.3.0/24
VRF 0 BGP routing table entry for 10.0.3.0/24
Paths: (2 available, best #1, table Default-IP-Routing-Table)
  Advertised to non peer-group peers:
   172.31.0.2
  Advertised to peer-groups:
  "EDGE"
  Original VRF 0
  65001
    172.31.0.1 from 172.31.0.1 (172.31.0.1)                                                             
      Origin IGP distance 20 metric 10, localpref 100, valid, external, best
      Community: 10:2
      Last update: Wed Oct 15 15:06:52 2025

  Original VRF 0
  65001
    172.31.0.2 from 172.31.0.2 (172.31.0.2)
      Origin IGP distance 20 metric 20, localpref 100, valid, external
      Community: 10:2      
      Last update: Wed Oct 15 15:00:54 2025

    3. Send traffic from external network to Spoke-1's network. The traffic will go through Hub-1 and reach Spoke-1 on H1_T11:

      # diagnose sniffer packet any 'host 10.0.6.1' 4
interfaces=[any]
filters=[host 10.0.6.1]
9.053176 H1_T11 in 10.0.6.1 -> 10.0.3.2: icmp: echo request
9.053584 port4 out 10.0.6.1 -> 10.0.3.2: icmp: echo request
9.053689 port4 in 10.0.3.2 -> 10.0.6.1: icmp: echo reply
9.053760 H1_T11 out 10.0.3.2 -> 10.0.6.1: icmp: echo reply
10.077224 H1_T11 in 10.0.6.1 -> 10.0.3.2: icmp: echo request
10.077354 port4 out 10.0.6.1 -> 10.0.3.2: icmp: echo request
10.077463 port4 in 10.0.3.2 -> 10.0.6.1: icmp: echo reply
10.077526 H1_T11 out 10.0.3.2 -> 10.0.6.1: icmp: echo reply
...

    4. Disable H1_T11 on Spoke-1. Hub-1 will detect it and consider it as dead, as a result, traffic will switch to H1_T22.

      Once probe packet cannot be received on the member from Spoke-1, no statistics will be shown, and the alive-count is changed from 2 to 1.

      # diagnose sys sdwan  health-check remote
Remote Health Check: rmt(2)
  Passive remote statistics of EDGE_T2(46):
EDGE_T2_0(10.0.0.14): timestamp=10-15 16:14:56.136, src=172.31.0.65, latency=0.298, jitter=0.037, pktloss=0.000%, mos=4.404, SLA id=1(pass), rmt_ver=2, rmt_sla=in, rmt_prio=150, last_sla_change=10-15 15:06:36.610
Remote Health Check: rmt(1)
  Passive remote statistics of EDGE_T1(45):

DC1_A_FGT (root) (Interim)# diagnose sys link-monitor dynamic-bgp-peers
172.31.0.65(0): alive-count=1,total=1, route-suppressed=0, last_route_change=10-15 15:06:33.999 
      # diagnose sniffer packet any 'host 10.0.6.1' 4
interfaces=[any]
filters=[host 10.0.6.1]

......

541.094223 port4 in 10.0.3.2 -> 10.0.6.1: icmp: echo reply
541.094279 H1_T22 out 10.0.3.2 -> 10.0.6.1: icmp: echo reply
542.103485 H1_T22 in 10.0.6.1 -> 10.0.3.2: icmp: echo request
542.103614 port4 out 10.0.6.1 -> 10.0.3.2: icmp: echo request
542.103737 port4 in 10.0.3.2 -> 10.0.6.1: icmp: echo reply
542.103794 H1_T22 out 10.0.3.2 -> 10.0.6.1: icmp: echo reply
543.113468 H1_T22 in 10.0.6.1 -> 10.0.3.2: icmp: echo request
543.113602 port4 out 10.0.6.1 -> 10.0.3.2: icmp: echo request

    5. Disable H1_T22 on Spoke-1 as well. All connections between Hub-1 and Spoke-1 are dead. At this point, Spoke-1's routes will be flagged as suppressed and set as med 999, then advertised to the external peer. As a result, traffic will switch over to Hub-2 and reach Spoke-1 on H2_T11.

      The alive-count is also changed from 1 to 0 and the route received from Hub-2 is set as med 20 and preferred.

      # diagnose sys sdwan  health-check remote
Remote Health Check: rmt(2)
  Passive remote statistics of EDGE_T2(46):
Remote Health Check: rmt(1)
  Passive remote statistics of EDGE_T1(45):

DC1_A_FGT (root) (Interim)# diagnose sys link-monitor dynamic-bgp-peers
172.31.0.65(0): alive-count=0,total=1, route-suppressed=1, last_route_change=10-15 16:29:20.629

DC3_FGT (root) (Interim)# get router info bgp network 10.0.3.0/24
VRF 0 BGP routing table entry for 10.0.3.0/24
Paths: (2 available, best #2, table Default-IP-Routing-Table)
  Advertised to non peer-group peers:
   172.31.0.1
  Advertised to peer-groups:
  "EDGE"
  Original VRF 0
  65001
    172.31.0.1 from 172.31.0.1 (172.31.0.1)
      Origin IGP distance 20 metric 999, localpref 100, valid, external
      Community: 10:2
      Last update: Wed Oct 15 16:29:21 2025

  Original VRF 0
  65001
    172.31.0.2 from 172.31.0.2 (172.31.0.2)
      Origin IGP distance 20 metric 20, localpref 100, valid, external, best
      Community: 10:2
      Last update: Wed Oct 15 15:00:54 2025
      # diagnose sniffer packet any 'host 10.0.6.1' 4
interfaces=[any]
filters=[host 10.0.6.1]

......

141.569312 H2_T11 in 10.0.6.1 -> 10.0.3.2: icmp: echo request
141.569454 port4 out 10.0.6.1 -> 10.0.3.2: icmp: echo request
141.569571 port4 in 10.0.3.2 -> 10.0.6.1: icmp: echo reply
141.569630 H2_T11 out 10.0.3.2 -> 10.0.6.1: icmp: echo reply
142.579272 H2_T11 in 10.0.6.1 -> 10.0.3.2: icmp: echo request
142.579410 port4 out 10.0.6.1 -> 10.0.3.2: icmp: echo request
142.579535 port4 in 10.0.3.2 -> 10.0.6.1: icmp: echo reply
142.579599 H2_T11 out 10.0.3.2 -> 10.0.6.1: icmp: echo reply
    Previous
    Next

    Allow SD-WAN hubs to suppress BGP routes when all links to a spoke are down New

    Allow SD-WAN hubs to suppress BGP routes when all links to a spoke are down New

    The feature enables hubs to detect when a spoke is dead (no SLA probes over a configurable duration) and suppress routes to that spoke. A BGP route-map-out is used to match this suppression status, and adjusts the multiple exit discriminator (MED) to inform BGP peers of the hub to direct traffic to the spoke through another hub.

    config system sdwan
    config health-check
        edit <name>
            set update-bgp-route {enable | disable}
        next
    end
end
    config router route-map
    edit <name>
        config rule
            edit 1
                set match-suppress {enable | disable}
            next
        end
    next
end
    config router bgp
    config neighbor
        edit <BGP peer IP>
            set attribute-unchanged med
            set route-map-out "suppress_dead_spoke"
        next
    end
end

    Example

    In this example:

    • Spoke-1 has two tunnels, H1_T11 and H1_T22, to Hub-1 and traffic from the external network to spoke-1 normally goes through Hub-1.

    • Spoke-1 has two other tunnels, H2_T11 and H2_T22, to Hub-2 and, if all links and tunnels between Spoke-1 and Hub-1 fail, it is expected that traffic from the external network to Spoke-1 will switchover to Hub-2 by advertising Spoke-1's routes with a higher MED from Hub-1 to the external network.

    To configure Spoke-1:
    config system sdwan
    set status enable
    config zone
        edit "virtual-wan-link"
        next
        edit "overlay"
        next
        ...
    end
    config members
        ...
        edit 4
            set interface "H1_T11"
            set zone "overlay"
            set source 172.31.0.65
            ...
        next
        edit 5
            set interface "H1_T22"
            set zone "overlay"
            set source 172.31.0.65
            ...
        next
        ...
        edit 7
            set interface "H2_T11"
            set zone "overlay"
            set source 172.31.0.65
            ...
        next
        edit 8
            set interface "H2_T22"
            set zone "overlay"
            set source 172.31.0.65
            ...
        next
        ...
    end
    config health-check
        edit "HUB"
            set server "172.31.100.100"
            set embed-measured-health enable
            set sla-id-redistribute 1
            ...
            set members 4 5 7 8
            config sla
                edit 1
                    set link-cost-factor latency
                    set latency-threshold 100
                next
            end
        next
    end
end
    To configure Hub-1:

    1. Configure SD-WAN:

      As long as one probe packet on a member is not received, the member will be considered as dead. If all members to Spoke-1 are dead, then Spoke-1's routes will be flagged as suppressed. failtime can be used to control convergence time.

      config system sdwan
    set status enable
    config zone
        edit "virtual-wan-link"
        next
        ...
        edit "overlay"
        next
    end
    config members
        edit 1
            set interface "EDGE_T1"
            set zone "overlay"
        next
        edit 2
            set interface "EDGE_T2"
            set zone "overlay"
        next
        ...
    end
    config health-check
        edit "rmt"
            set detect-mode remote
            set remote-probe-timeout 1000            
            set failtime 1
            set recoverytime 1
            set update-bgp-route enable
            set sla-id-redistribute 1
            set members 1 2
            config sla
                edit 1
                    set link-cost-factor remote
                    ...
                next
            end
        next
    end
end

    2. Configure route maps:

      Suppressed routes are set with an MED of 999, and normal routes with an MED of 10.

      config router route-map
    edit "ACTION_SUPPRESS"
        config rule
            edit 1
                set match-suppress enable
                set set-metric 999
            next
            edit 2
                set set-metric 10
            next
        end
    next
end

    3. Configure BGP settings:

      config router bgp
   ...
    config neighbor
        edit "172.31.0.129"
            ...
            set attribute-unchanged med
            ...
            set route-map-out "ACTION_SUPPRESS"
        next
    end
end
    To configure Hub-2:

    1. Configure SD-WAN:

      config system sdwan
    set status enable
    config zone
        edit "virtual-wan-link"
        next
        ...
        edit "overlay"
        next
    end
    config members
        edit 1
            set interface "EDGE_T1"
            set zone "overlay"
        next
        edit 2
            set interface "EDGE_T2"
            set zone "overlay"
        next
        ...
    end
    config health-check
        edit "rmt"
            set detect-mode remote
            set remote-probe-timeout 1000
            set failtime 1
            set recoverytime 1
            set update-bgp-route enable
            set sla-id-redistribute 1
            set members 1 2
            config sla
                edit 1
                    set link-cost-factor remote
                    ...
                next
            end
        next
    end
end

    2. Configure route maps:

      Suppressed routes are set with an MED of 999, and normal routes with an MED of 20.

      config router route-map
    edit "ACTION_SUPPRESS"
        config rule
            edit 1
                set match-suppress enable
                set set-metric 999
            next
            edit 2
                set set-metric 20
            next
        end
    next
end

    3. Configure BGP settings:

      config router bgp
   ...
    config neighbor
        edit "172.31.0.129"
            ...
            set attribute-unchanged med
            ...
            set route-map-out "ACTION_SUPPRESS"
        next
    end
end
    To test the configuration:

    1. The SLA status detected by the remote health-check on Hub-1 indicates that the two connections between Hub-1 and Spoke-1 are alive:

      # diagnose sys sdwan  health-check remote
Remote Health Check: rmt(2)
  Passive remote statistics of EDGE_T2(46):
EDGE_T2_0(10.0.0.14): timestamp=10-15 15:59:46.694, src=172.31.0.65, latency=0.233, jitter=0.010, pktloss=0.000%, mos=4.404, SLA id=1(pass), rmt_ver=2, rmt_sla=in, rmt_prio=150, last_sla_change=10-15 15:06:36.610
Remote Health Check: rmt(1)
  Passive remote statistics of EDGE_T1(45):
EDGE_T1_0(172.31.0.65): timestamp=10-15 15:59:46.694, src=172.31.0.65, latency=0.276, jitter=0.029, pktloss=0.000%, mos=4.404, SLA id=1(pass), rmt_ver=2, rmt_sla=in, rmt_prio=100, last_sla_change=10-15 15:06:36.609

DC1_A_FGT (root) (Interim)# diagnose sys link-monitor dynamic-bgp-peers
172.31.0.65(0): alive-count=2, total=2, route-suppressed=0, last_route_change=10-15 15:06:33.999

    2. The external peer receives Spoke-1's routes from Hub-1 and Hub-2.

      The route received from Hub-1 is set as MED 10 and preferred. The route received from Hub-2 is set as MED 20.

      # get router info bgp network 10.0.3.0/24
VRF 0 BGP routing table entry for 10.0.3.0/24
Paths: (2 available, best #1, table Default-IP-Routing-Table)
  Advertised to non peer-group peers:
   172.31.0.2
  Advertised to peer-groups:
  "EDGE"
  Original VRF 0
  65001
    172.31.0.1 from 172.31.0.1 (172.31.0.1)                                                             
      Origin IGP distance 20 metric 10, localpref 100, valid, external, best
      Community: 10:2
      Last update: Wed Oct 15 15:06:52 2025

  Original VRF 0
  65001
    172.31.0.2 from 172.31.0.2 (172.31.0.2)
      Origin IGP distance 20 metric 20, localpref 100, valid, external
      Community: 10:2      
      Last update: Wed Oct 15 15:00:54 2025

    3. Send traffic from external network to Spoke-1's network. The traffic will go through Hub-1 and reach Spoke-1 on H1_T11:

      # diagnose sniffer packet any 'host 10.0.6.1' 4
interfaces=[any]
filters=[host 10.0.6.1]
9.053176 H1_T11 in 10.0.6.1 -> 10.0.3.2: icmp: echo request
9.053584 port4 out 10.0.6.1 -> 10.0.3.2: icmp: echo request
9.053689 port4 in 10.0.3.2 -> 10.0.6.1: icmp: echo reply
9.053760 H1_T11 out 10.0.3.2 -> 10.0.6.1: icmp: echo reply
10.077224 H1_T11 in 10.0.6.1 -> 10.0.3.2: icmp: echo request
10.077354 port4 out 10.0.6.1 -> 10.0.3.2: icmp: echo request
10.077463 port4 in 10.0.3.2 -> 10.0.6.1: icmp: echo reply
10.077526 H1_T11 out 10.0.3.2 -> 10.0.6.1: icmp: echo reply
...

    4. Disable H1_T11 on Spoke-1. Hub-1 will detect it and consider it as dead, as a result, traffic will switch to H1_T22.

      Once probe packet cannot be received on the member from Spoke-1, no statistics will be shown, and the alive-count is changed from 2 to 1.

      # diagnose sys sdwan  health-check remote
Remote Health Check: rmt(2)
  Passive remote statistics of EDGE_T2(46):
EDGE_T2_0(10.0.0.14): timestamp=10-15 16:14:56.136, src=172.31.0.65, latency=0.298, jitter=0.037, pktloss=0.000%, mos=4.404, SLA id=1(pass), rmt_ver=2, rmt_sla=in, rmt_prio=150, last_sla_change=10-15 15:06:36.610
Remote Health Check: rmt(1)
  Passive remote statistics of EDGE_T1(45):

DC1_A_FGT (root) (Interim)# diagnose sys link-monitor dynamic-bgp-peers
172.31.0.65(0): alive-count=1,total=1, route-suppressed=0, last_route_change=10-15 15:06:33.999 
      # diagnose sniffer packet any 'host 10.0.6.1' 4
interfaces=[any]
filters=[host 10.0.6.1]

......

541.094223 port4 in 10.0.3.2 -> 10.0.6.1: icmp: echo reply
541.094279 H1_T22 out 10.0.3.2 -> 10.0.6.1: icmp: echo reply
542.103485 H1_T22 in 10.0.6.1 -> 10.0.3.2: icmp: echo request
542.103614 port4 out 10.0.6.1 -> 10.0.3.2: icmp: echo request
542.103737 port4 in 10.0.3.2 -> 10.0.6.1: icmp: echo reply
542.103794 H1_T22 out 10.0.3.2 -> 10.0.6.1: icmp: echo reply
543.113468 H1_T22 in 10.0.6.1 -> 10.0.3.2: icmp: echo request
543.113602 port4 out 10.0.6.1 -> 10.0.3.2: icmp: echo request

    5. Disable H1_T22 on Spoke-1 as well. All connections between Hub-1 and Spoke-1 are dead. At this point, Spoke-1's routes will be flagged as suppressed and set as med 999, then advertised to the external peer. As a result, traffic will switch over to Hub-2 and reach Spoke-1 on H2_T11.

      The alive-count is also changed from 1 to 0 and the route received from Hub-2 is set as med 20 and preferred.

      # diagnose sys sdwan  health-check remote
Remote Health Check: rmt(2)
  Passive remote statistics of EDGE_T2(46):
Remote Health Check: rmt(1)
  Passive remote statistics of EDGE_T1(45):

DC1_A_FGT (root) (Interim)# diagnose sys link-monitor dynamic-bgp-peers
172.31.0.65(0): alive-count=0,total=1, route-suppressed=1, last_route_change=10-15 16:29:20.629

DC3_FGT (root) (Interim)# get router info bgp network 10.0.3.0/24
VRF 0 BGP routing table entry for 10.0.3.0/24
Paths: (2 available, best #2, table Default-IP-Routing-Table)
  Advertised to non peer-group peers:
   172.31.0.1
  Advertised to peer-groups:
  "EDGE"
  Original VRF 0
  65001
    172.31.0.1 from 172.31.0.1 (172.31.0.1)
      Origin IGP distance 20 metric 999, localpref 100, valid, external
      Community: 10:2
      Last update: Wed Oct 15 16:29:21 2025

  Original VRF 0
  65001
    172.31.0.2 from 172.31.0.2 (172.31.0.2)
      Origin IGP distance 20 metric 20, localpref 100, valid, external, best
      Community: 10:2
      Last update: Wed Oct 15 15:00:54 2025
      # diagnose sniffer packet any 'host 10.0.6.1' 4
interfaces=[any]
filters=[host 10.0.6.1]

......

141.569312 H2_T11 in 10.0.6.1 -> 10.0.3.2: icmp: echo request
141.569454 port4 out 10.0.6.1 -> 10.0.3.2: icmp: echo request
141.569571 port4 in 10.0.3.2 -> 10.0.6.1: icmp: echo reply
141.569630 H2_T11 out 10.0.3.2 -> 10.0.6.1: icmp: echo reply
142.579272 H2_T11 in 10.0.6.1 -> 10.0.3.2: icmp: echo request
142.579410 port4 out 10.0.6.1 -> 10.0.3.2: icmp: echo request
142.579535 port4 in 10.0.3.2 -> 10.0.6.1: icmp: echo reply
142.579599 H2_T11 out 10.0.3.2 -> 10.0.6.1: icmp: echo reply
    Previous
    Next