Skip to main content
Lucas_Piris
Lucas_Piris
New Member
August 12, 2015
Question

HA with load balance all retransmission

  • August 12, 2015
  • 6 replies
  • 12619 views

Hi,

 

We have a Fortigate HA with load balance all enabled, and we are monitoring the behavior, and I can see many retransmissions between slave and master, just when the slave unit process the packet, see this picture:

 

Anyone known if this is normal? when we have load balance all enabled?

  

Regars

Lucas

 

    6 replies

    vjoshi_FTNT
    Staff
    vjoshi_FTNT
    Staff
    August 12, 2015

    Hello Lucas,

     

    Yes, it is possible if the traffic is high. load-balance-all option will make the primary unit load balance all TCP sessions.

    It really doesn't help to improve the throughput because of extra overhead required for load balancing. So load-balance-all is disabled by default.

     

     

    Lucas_Piris
    Lucas_PirisAuthor
    New Member
    August 12, 2015

    Hi vjoshi,

     

    Thanks.

     

    The strange thing is that this environment is lab, has no charge. :(

     

    Regards

    Lucas

     

    vjoshi wrote:

    Hello Lucas,

     

    Yes, it is possible if the traffic is high. load-balance-all option will make the primary unit load balance all TCP sessions.

    It really doesn't help to improve the throughput because of extra overhead required for load balancing. So load-balance-all is disabled by default.

     

     

    vjoshi_FTNT
    Staff
    vjoshi_FTNT
    Staff
    August 12, 2015

    Hello Lucas,

     

    Sorry, what do you mean by 'no charge'?

     

    If it is in lab and you are testing this, fine.

     

    If this is just a test bed and you are planning for a production setup, and if you really want to use the HA for optimum load balancing, I would suggest virtual clustering with VDOMs.

     

    This is possible in a-p mode where each device will be master for specific VDOMs and other device will serve as Slave unit.

     

    Cheers,

     

     

     

    lpiris wrote:

    Hi vjoshi,

     

    Thanks.

     

    The strange thing is that this environment is lab, has no charge. :(

     

    Regards

    Lucas

     

    vjoshi_FTNT
    Staff
    vjoshi_FTNT
    Staff
    August 12, 2015

    Hello Lucas,

     

    I got it. It is strange it happens without load.

     

    Is it causing any specific issue to the application?

    Lucas_Piris
    Lucas_PirisAuthor
    New Member
    August 12, 2015

    Hi Josh,

     

    Yes! this customer have an internal application that are impacted.

    We had to change ha mode to a-p, and it works fine.

     

    I will monitoring anothers HA, To see if I can find the same behavior.

     

    Cheers

    Lucas

     

    vjoshi wrote:

    Hello Lucas,

     

    I got it. It is strange it happens without load.

     

    Is it causing any specific issue to the application?

    vjoshi_FTNT
    Staff
    vjoshi_FTNT
    Staff
    August 17, 2015

    Hello Lucas,

     

    Do you see the same behavior in your lab setup as well?

     

     

    Lucas_Piris
    Lucas_PirisAuthor
    New Member
    August 17, 2015

    Hi Josh,

     

    yes.

     

    vjoshi wrote:

    Hello Lucas,

     

    Do you see the same behavior in your lab setup as well?

     

     

    vjoshi_FTNT
    Staff
    vjoshi_FTNT
    Staff
    August 17, 2015

    Hello Lucas,

     

    Weird, I expect it to happen, but without any traffic doesn't seem to be correct.

     

    I would recommend not to use the load balance all, instead use the virtual cluster for effective load sharing.

     

     

    Lucas_Piris
    Lucas_PirisAuthor
    New Member
    August 17, 2015

    But without the load balance, I do not have any advantage using active-active, right? I do not have this UTM HA.

     

    vjoshi wrote:

    Hello Lucas,

     

    Weird, I expect it to happen, but without any traffic doesn't seem to be correct.

     

    I would recommend not to use the load balance all, instead use the virtual cluster for effective load sharing.

     

     

    Jan_Scholten
    Jan_Scholten
    New Member
    August 18, 2015

    A/A still works by load balancing UTM (AV/IPS) stuff to the second Fortigate.

     

    Load-Balance all trys to load balance even single TCP sessions to the secondary Fortigate.

    The overhead needed for that (New TCP SYN is coming to fgt master, replicate that session over HA link to the secondary FGT ...) is in general more expensive than the acceleration you may gain. 

    There may be some corner cases where load balance all makes sense (lots of elephant flows?) but in general: do not do it.

     

    If you thought about using HA as "twice the firewalls, twice the performance" you will have a hard time.

    There was a concept of independent firewalls(clusters) which synchronize their sessions, but i can't find the paper.

     

     

    vjoshi_FTNT
    Staff
    vjoshi_FTNT
    Staff
    August 20, 2015

    Hello Lucas, The real advantage of the a-a HA load balancing can be seen with UTM. If you do not have UTM, then there is no real benefit of load balancing. As Jan said in the previous post, the overhead is more than the load sharing benefit you get out of it. As I mentioned in earlier posts, if you want a real load sharing between the two devices for all the sessions(with and without UTM), virtual clustering which is possible with VDOMs where each VDOM is served by one unit.

     

     

    Terms & ConditionsAccessibility statement