Technical Tip: FortiGate HA failover due to memory utilization
Description
This article describes how to configure and validate HA failover due to memory utilization.
The new feature is included in FortiOS 7.0.0 onward and 7.2.0 onward (but not available in 6.4.x) to allow HA failover due to memory utilization.
In the scenario where the existing primary’s memory utilization exceeds the threshold configured by the administrator for a specific amount of time.
Note:
The value used is a demonstration purpose, a higher threshold shall be configured in a production environment to prevent frequent failover of the HA primary.
Important :
Override must be disabled on BOTH Primary and Secondary. Otherwise, there will be another failover immediately based on priority and the old primary will become primary again with high memory usage:
Primary unit selection with override enabled
Scope
FortiGate.
Solution
Initial Configuration.
In the existing environment, an HA pair with an A-P setup is configured with FortiOS 7.0.0. As visible from the following print screen, FortiGate with hostname Kancil-kvm39 is selected as the primary as it was configured with higher priority:
To demonstrate memory-based failover based on this scenario, the following parameters are used for testing purposes:
set memory-based-failover enable
set memory-failover-threshold 62 <-- The memory usage threshold to trigger a memory-based failover, in percentage (0 - 95, 0 = use the conserve mode threshold, default = 0).
set memory-failover-sample-rate 1
set memory-failover-flip-timeout 6
end
If the memory usage on the Kancil-kvm39 goes below 62%, while memory utilization on Iriz-kvm58 rises above 62%, a second failover will occur.
If both FortiGates memory utilization is above the threshold (62% in this example), no failover will be triggered due to memory utilization criteria.
Verification.
diagnose debug enable <-- A message indicating that mem-failover-flag changed will be shown in the debug messages:
