When a site-to-site IPsec VPN tunnel fails, the impact is immediate. Branch offices lose access to shared resources, applications disconnect, and productivity stops. For organizations that depend on VPN connectivity between sites or data centers, reliable failover is critical.
On FortiGate firewalls, a common approach to prevent outages is configuring dual IPsec tunnels and using SD-WAN to control routing. In this design, both tunnels remain active while predefined routing rules determine the preferred path.
However, during a deployment involving a FortiGate connected to a third-party firewall, I encountered an issue where traffic did not consistently use the correct tunnel. Although both tunnels showed operational, routing behavior did not always align with expectations. This created unpredictable traffic flow and the traffic was dropped.
The solution was to implement the “set monitor” command to ensure that primary tunnel health was properly tracked and that failover occurred reliably when the primary path went offline.
What is “set monitor”?
Typically, when you configure two VPN tunnels for redundancy, both interfaces may attempt to stay “up” simultaneously, leading to complex routing decisions or asymmetric traffic. The “set monitor” feature simplifies this by creating a logical dependency between two tunnels.
By applying set monitor to a backup tunnel and pointing it toward a primary tunnel, you ensure that the backup remains dormant (down) as long as the primary is active. The moment the primary tunnel fails, the backup detects the state change and immediately starts to take over the traffic.
Step-by-step implementation
To get started, ensure both your primary and backup tunnels are configured with the correct settings.
Once your tunnels are ready, go into the CLI to link them together. Assuming your primary tunnel is named “VPN Primary” and your backup is “VPN_Backup,” use the following commands:
config vpn ipsec phase1-interface
edit "VPN_Backup"
set monitor "VPN_Primary"
next
end
By adding this single line of code, you have told the FortiGate: “Do not bring up the backup tunnel unless the primary tunnel goes down.”
Verifying the failover
Testing is the most critical part of any redundancy plan. You can verify the set monitor performance by running a sniffer or checking the routing table:
- Before Failure: run the command
get router info routing-table allto show your primary tunnel interface. - During Failure: Once the primary link is cut, the backup tunnel will transition to “Up,” and the routing table will automatically update to reflect the backup interface.
- Recovery: When the primary tunnel recovers, the set monitor logic will gracefully shut down the backup and revert traffic to the primary path.
Conclusion
The set monitor feature is a powerful tool for network administrators looking for a simple way to have IPsec VPN failover. By creating a clear hierarchy between your primary and secondary links, you ensure that your network remains resilient against ISP hardware failures or outages.
Have any questions?
Have any questions about setting up a failover with FortiGate using the set monitor feature or how Sikich can assist with your network administration?
This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.
