| Description | This article describes how to use ip-src-balance in FortiWeb. |
| Scope | FortiWeb. |
| Solution |
FortiWeb appliance that operates in Reverse Proxy Mode will be using its own IP address to connect to Backend Application Servers.
Web/HTTP uses TCP transport protocol, whereby TCP uses 16-bit port numbers, which allows for a total of 65536 possible port numbers. Given that port number 0 is reserved and not used, and port numbers below 1024 are typically reserved for well-known services and protocols, FortiWeb with a single IP address may have the maximum connection number of 64500 to one pserver.
If the connection rate is high, such that the connections are being created faster than existing open connections are being closed, or the concurrent connections are occupied by many TIME_WAIT connections, then TCP connections can hardly be established, thus causing new request failures.
There is an option to avoid the TCP port exhaustion, which is to add multiple IP addresses to the FortiWeb backend server-facing interface and configure source IP load balance (ip-src-balance) on connecting to the backend server.
Multiple secondary IP addresses are required if the estimated concurrent connections exceed the 'usable TCP ports' * 'number of IP addresses'. The actual supported concurrent connections limit can be lower when the connections are occupied by many TIME_WAIT connections, often due to slow responses/replies from backend real servers.
FortiWeb CLI Configuration.
config system interface
config system network-option set ip-src-balance enable set ip6-src-balance enable end
Related document: Server policy intermittently inaccessible |
