Skip to content

Bounce VPN tunnel on Link Monitor Failure

Overview

This guide will show you how to bounce a VPN tunnel automatically when a link monitor fails on FortiGate.

In a “Dialup user” tunnel scenario, this should be done on the Remote side which uses “Static IP address” or “Dynamic DNS”.

Procedure

  1. Create a link monitor

Replace sites-vpn with your VPN tunnel interface name.

Terminal window
config system link-monitor
edit "Tunnel-Monitor"
# Set srcintf to your VPN tunnel interface
set srcintf "sites-vpn"
# Set server to an IP address that is accessible through the tunnel, ideally, the IP of the VPN interface at the remote end
set server "10.11.0.1"
set interval 1000
set update-cascade-interface disable
set update-static-route disable
set update-policy-route disable
next
end
  1. Verify link monitor is working with diagnose sys link-monitor status
Terminal window
Link Monitor: Tunnel-Monitor, Status: alive, Server num(1), cfg_version=0 HA state: local(alive), shared(alive)
Flags=0x1 init, Create time: Sun Jun 7 13:27:17 2026
Source interface: sites-vpn (35)
VRF: 0
Interval: 1000 ms
Service-detect: disable
Diffservcode: 000000
Class-ID: 0
Transport-Group: 0
Class-ID: 0
Peer: 10.11.0.1(10.11.0.1)
Source IP(10.11.0.2)
Route: 10.11.0.2->10.11.0.1/32, gwy(GATEWAY_IP_ADDRESS)
protocol: ping, state: alive
Latency(Min/Max/Avg): 50.445/74.290/56.318 ms
Jitter(Min/Max/Avg): 0.037/22.372/4.585 ms
Packet lost: 0.000%
MOS: 4.370
Number of out-of-sequence packets: 0
Fail Times(0/5)
Packet sent: 191, received: 191, Sequence(sent/rcvd/exp): 192/192/193

Ensure you see that the state shows alive.

  1. Create an Automation Trigger
Terminal window
config system automation-trigger
edit "Trigger-Tunnel-Down"
set event-type event-log
# Trigger on EVENT_LINK_MONITOR_STATUS_WARNING (Link monitor status warning)
# Alive->Dead, not initial state dead
# https://docs.fortinet.com/document/fortiproxy/7.6.0/log-message-reference/22932/22932-log-id-event-link-monitor-status-warning
set logid 22932
config fields
edit 1
set name "name"
set value "Tunnel-Monitor"
next
end
next
end
  1. Create an Automation Action to bounce tunnel

Replace sites-vpn with your VPN tunnel interface name.

Terminal window
config system automation-action
edit "Action-sites-vpn-down"
set action-type cli-script
set accprofile "super_admin"
set script "config system interface
edit sites-vpn
set status down
end"
next
edit "Action-sites-vpn-up"
set action-type cli-script
set accprofile "super_admin"
set script "config system interface
edit sites-vpn
set status up
end"
next
end
  1. Create an Automation Stitch

Replace sites-vpn with your VPN tunnel interface name.

Terminal window
config system automation-stitch
edit "Restart-sites-vpn"
set trigger "Trigger-Tunnel-Down"
config actions
edit 1
set action "Action-sites-vpn-down"
set required enable
next
edit 2
set action "Action-sites-vpn-up"
set delay 3
set required enable
next
end
next
end