Skip to main content
HT_JDC
HT_JDC
New Member
October 21, 2024
Question

SD-WAN: Recovery takes much time at 1-line disconnection, using IPsec aggregation

  • October 21, 2024
  • 1 reply
  • 1979 views

Dear Experts,

 

Here is my story for SD-WAN IPsec aggregation.

 

Fig2.png

 

The 2nd line is disconnected and it is kept (disconnected).

Temporarily whole SD-WAN line is disconnected. I understand it.

However, recovery takes much time (more than 3-5 minutes).

Can we shorten this time?

 

Thanks in advance,

1 reply

Raghu_Kumar
Staff
Raghu_Kumar
Staff
October 21, 2024

Hello,

The delay in recovery when one line disconnects in your SD-WAN IPsec aggregation setup could be caused by multiple factors, such as the link health check interval, the failover threshold, or the way the sessions are handled during failover. To reduce this delay, you can try the following steps:

Adjust Health Check Settings: Shorten the link health check interval under Performance SLA to ensure quicker detection of the downed link.

Session Persistence: Make sure session failover settings (session pickup) are enabled to prevent session interruptions during the transition between lines.

Set Lower Thresholds: Reduce the failover threshold to ensure the failover triggers more quickly.


By optimizing these settings, you should be able to reduce the failover time and improve overall recovery speed.

If still you are facing issue. This might require deep troubleshooting via remote session. Open a ticket with Fortinet.



HT_JDC
HT_JDCAuthor
New Member
October 22, 2024

Dear Raghu_Kumar,

 

Thanks for your reply. Excuse me for basic questions.

 

>Session Persistence: Make sure session failover settings (session pickup) are enabled to prevent session interruptions during the transition between lines.

 

How can we configure them? Please tell me how to do it.

 

>Set Lower Thresholds: Reduce the failover threshold to ensure the failover triggers more quickly.

 

The same situation. I do no

 

All are configured by CLI?

 

Thanks in advance and Best regards,

 

HT_JDC
HT_JDCAuthor
New Member
October 24, 2024

Dear Experts,

 

I tried several things such as changing values of parameters seen in CLI, including IPsec aggregation algorithm, however, I do not see any improvements. In almost cases, it takes about 100s to recover.

(I judge it, by seeing continuous ping results between PC1 and PC2.)

 

Any ideas?

 

Thanks in advance,

Terms & ConditionsAccessibility statement