Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hklb
Contributor II

HA synchronization

Hello,

 

I will install a HA of 1500D for a customer. I have two question about that : - Which bandwith will be used for session synchronization (There is approximately 400 new session per second and 10'000 sessions established) ? Is there a way to know the amount of traffic will be used ? - Is a good choice to use the MGMT1 and MGMT2 interface to HA heartbeat/sync session ? Or there is a hardware/software limitation ?

 

Thanks in advance

 

Lucas

1 Solution
Christopher_McMullan

I don't have any figures for the bandwidth required to maintain active sessions, but a helpful guide for the bandwidth requirements to synchronize session setup is:

roughly 500kbps for every 1,000 sessions set up per second

 

This is not an exact, officially published benchmark - only a rough guide from some internal testing. Session setup is far more important than active sessions.

 

As a best practice, you should consider using redundant HA links, as well as segmenting session-sync traffic from HA heartbeat messages. It's a high cost, but it pays off in spades: two interfaces for HA (use ones you don't really want, like 'HA' ports, or unused Fast Ethernet or Gigabit, where they are an order of magnitude smaller than other production ports on the device), plus one for session-sync traffic.

 

You can use non-accelerated ports or not as your preferences go - there's really no restriction on which port you use, so long as it's not already dedicated to another purpose. You could even theoretically use a production port shared with other traffic, though I wouldn't recommend this anywhere.

Regards, Chris McMullan Fortinet Ottawa

View solution in original post

2 REPLIES 2
Christopher_McMullan

I don't have any figures for the bandwidth required to maintain active sessions, but a helpful guide for the bandwidth requirements to synchronize session setup is:

roughly 500kbps for every 1,000 sessions set up per second

 

This is not an exact, officially published benchmark - only a rough guide from some internal testing. Session setup is far more important than active sessions.

 

As a best practice, you should consider using redundant HA links, as well as segmenting session-sync traffic from HA heartbeat messages. It's a high cost, but it pays off in spades: two interfaces for HA (use ones you don't really want, like 'HA' ports, or unused Fast Ethernet or Gigabit, where they are an order of magnitude smaller than other production ports on the device), plus one for session-sync traffic.

 

You can use non-accelerated ports or not as your preferences go - there's really no restriction on which port you use, so long as it's not already dedicated to another purpose. You could even theoretically use a production port shared with other traffic, though I wouldn't recommend this anywhere.

Regards, Chris McMullan Fortinet Ottawa

hklb
Contributor II

Hello Chris,

 

Ok, thanks for your quick reply, that's perfect. 

 

Lucas