Bounce VPN tunnel on Link Monitor Failure
Overview
This guide will show you how to bounce a VPN tunnel automatically when a link monitor fails on FortiGate.
In a “Dialup user” tunnel scenario, this should be done on the Remote side which uses “Static IP address” or “Dynamic DNS”.
Procedure
- Create a link monitor
Replace sites-vpn with your VPN tunnel interface name.
config system link-monitor edit "Tunnel-Monitor" # Set srcintf to your VPN tunnel interface set srcintf "sites-vpn" # Set server to an IP address that is accessible through the tunnel, ideally, the IP of the VPN interface at the remote end set server "10.11.0.1" set interval 1000 set update-cascade-interface disable set update-static-route disable set update-policy-route disable nextend- Verify link monitor is working with
diagnose sys link-monitor status
Link Monitor: Tunnel-Monitor, Status: alive, Server num(1), cfg_version=0 HA state: local(alive), shared(alive)Flags=0x1 init, Create time: Sun Jun 7 13:27:17 2026Source interface: sites-vpn (35)VRF: 0Interval: 1000 msService-detect: disableDiffservcode: 000000Class-ID: 0Transport-Group: 0Class-ID: 0 Peer: 10.11.0.1(10.11.0.1) Source IP(10.11.0.2) Route: 10.11.0.2->10.11.0.1/32, gwy(GATEWAY_IP_ADDRESS) protocol: ping, state: alive Latency(Min/Max/Avg): 50.445/74.290/56.318 ms Jitter(Min/Max/Avg): 0.037/22.372/4.585 ms Packet lost: 0.000% MOS: 4.370 Number of out-of-sequence packets: 0 Fail Times(0/5) Packet sent: 191, received: 191, Sequence(sent/rcvd/exp): 192/192/193Ensure you see that the state shows alive.
- Create an Automation Trigger
config system automation-trigger edit "Trigger-Tunnel-Down" set event-type event-log # Trigger on EVENT_LINK_MONITOR_STATUS_WARNING (Link monitor status warning) # Alive->Dead, not initial state dead # https://docs.fortinet.com/document/fortiproxy/7.6.0/log-message-reference/22932/22932-log-id-event-link-monitor-status-warning set logid 22932 config fields edit 1 set name "name" set value "Tunnel-Monitor" next end nextend- Create an Automation Action to bounce tunnel
Replace sites-vpn with your VPN tunnel interface name.
config system automation-action edit "Action-sites-vpn-down" set action-type cli-script set accprofile "super_admin" set script "config system interface edit sites-vpn set status down end" next edit "Action-sites-vpn-up" set action-type cli-script set accprofile "super_admin" set script "config system interface edit sites-vpn set status up end" nextend- Create an Automation Stitch
Replace sites-vpn with your VPN tunnel interface name.
config system automation-stitch edit "Restart-sites-vpn" set trigger "Trigger-Tunnel-Down" config actions edit 1 set action "Action-sites-vpn-down" set required enable next edit 2 set action "Action-sites-vpn-up" set delay 3 set required enable next end nextend