Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
marypoppins
New Contributor II

Fortigate failover hello-holddown question

Dear All,

 

I would like to know if during the hello-holddown's 'hello state' there is forwarding traffic, or it only happens after this timer reaches the working state. (the name 'working' suggests there is no forwarding (only ha) before it and it measured in seconds with the lowest value of 5).

So the failover switching time from the perception to the public traffic again will be something like this (in worst case the failure happens just right after a heartbeat packet):
hb-interval(def 200ms) * hb-lost-threshold (def. 6) + hello-holddown( def. 20sec) = 21,2 sec

 

And in case of a fortigate 600E changing the values to the lowest possible one, it can be decreased to 100ms*1+5 = 5,1sec ?

Could you please tell me if I am right?

 

Thank you

 

1 Solution
vvarangoulis
Staff
Staff

Hello,
The hello hold down is for the HA heartbeat. The traffic should switch immediately. Of course, it depends on what traffic we are speaking of, since some sessions are not getting synchronized, and they need to re-establish, and also it depends on the routing recovery if there are dynamic routing/path vector protocols involved like OSPF and BGP. And for the latter reason, session recovery can not have guarantee times.

The timers you mentioned are for the cluster to establish and become in-sync between the cluster members. Please check the below documentation that has examples and details about what these 3 settings that you mentioned do. In general, if the Fortigates have some difficulty to form the cluster after a failover (or some other rare cases) then you may look to adjust these settings.

If you see a behaviour that does not look normal, i would suggest creating a ticket with the TAC.

Fortigate CLI reference - system ha
https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/480224/system-ha

Fortinet Documentation - Modifying heartbeat timing
https://docs.fortinet.com/document/fortigate-6000/6.4.6/fortigate-6000-handbook/896243/modifying-hea...

Fortinet Documentation - Session failover
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/786852/session-failover

Cheers

Please mark the posts as solved if you have no further queries
--VV--

View solution in original post

2 REPLIES 2
vvarangoulis
Staff
Staff

Hello,
The hello hold down is for the HA heartbeat. The traffic should switch immediately. Of course, it depends on what traffic we are speaking of, since some sessions are not getting synchronized, and they need to re-establish, and also it depends on the routing recovery if there are dynamic routing/path vector protocols involved like OSPF and BGP. And for the latter reason, session recovery can not have guarantee times.

The timers you mentioned are for the cluster to establish and become in-sync between the cluster members. Please check the below documentation that has examples and details about what these 3 settings that you mentioned do. In general, if the Fortigates have some difficulty to form the cluster after a failover (or some other rare cases) then you may look to adjust these settings.

If you see a behaviour that does not look normal, i would suggest creating a ticket with the TAC.

Fortigate CLI reference - system ha
https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/480224/system-ha

Fortinet Documentation - Modifying heartbeat timing
https://docs.fortinet.com/document/fortigate-6000/6.4.6/fortigate-6000-handbook/896243/modifying-hea...

Fortinet Documentation - Session failover
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/786852/session-failover

Cheers

Please mark the posts as solved if you have no further queries
--VV--
marypoppins

Thank you very much for your answer!