Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vrajendran
Staff
Staff

Created on ‎03-30-2016 12:43 AM Edited on ‎05-21-2024 12:30 AM By Moderator

Article Id 196568

Technical Tip: HA override wait timer

Description

 
This article explains the override enable wait timer option to address issue when HA override option is enabled on Active-Passive deployment, during HA fall back the former master unit will reclaim back the master role and will cause network interruption.

With this override-wait-timer option configured under HA setting, it makes the former master unit wait for number of second before taking back the master role, this is to ensure that all the sessions and routing tables have been completely synced.
 
The override wait time can only be configured when HA override is enabled, and it is only activated after a unit boots up. For example, it is not activated after a failover triggered by the monitor interface, or when HA is changed from standalone mode to A-P or A-A mode.


Solution

 
Non virtual cluster environment.

Configure this option on the master unit where override is enabled which having higher priority, for non-virtual setup most of the time will be configure on the master unit.
 
config system ha
    set override-wait-timer <n sec>
end
 
Here is an example of working HA setting
 
config system ha
    set group-name "HA_cluster"
    set mode a-p
    set hbdev "port27" 100 "port28" 100
    set session-pickup enable
    set override enable              <<  ensure override is enable
    set override-wait-time 120       <<  enable this command
    set priority 200
 
Virtual cluster environment.

On virtual cluster environment, some environment required to have VDOM running on passive or slave unit to make both device running at the same time sort of like Active-Active deployment in the matter of fact is still configure as Active-Passive.

Setting still the same and do applied to device that having higher priority, below is the sample of the setup.

Master HA setting:
 
config system ha
    set group-name "HA_cluster"
    set mode a-p
    set hbdev "port27" 100 "port28" 100
    set session-pickup enable
    set vcluster2 enable
    set override enable              <--  Ensure override is enabled.
    set override-wait-time 120       <--  override-wait-time.
    set priority 200
        config secondary-vcluster
            set override enable          <--  Ensure override is enabled.
            set priority 100
            set monitor "port9" "port10"
            set vdom "WANFW"
        end
end
 
Slave HA setting.
 
config system ha
    set group-name "HA_cluster"
    set mode a-p
    set hbdev "port27" 100 "port28" 100
    set session-pickup enable
    set vcluster2 enable
    set override enable               <-- Ensure override is enabled.
    set priority 100
        config secondary-vcluster
            set override enable         <-- Ensure override is enabled.
            set override-wait-time 120  <-- override-wait-time.
            set priority 200
            set monitor "port9" "port10"
            set vdom "WANFW"
end
12630
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.