Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Saba1989
New Contributor

a problem in divide traffic between default routes

we have a 200D Fortigate in my company, until this week we have 2 ISP and 2 default route to internet and they work fine.

this week we got a new internet link .i write a new default route for this link with administrative distance 10 and priority 0 as like as old default routes. so there is not any deference between default routes, and then write a policy for new link as like as old policies

but it seems fortigate device can not send traffic to ISPs like each other, i reset policy counter and i see deference between bytes sent so new link transfer a little traffic and most of time not used its bandwidth

i attach  my policy picture . i want my fortigate device sent traffic to internet from all ISP links what is my mistake? and what i should do to correct my fault?

2 Solutions
Antonio_Milanese
Contributor

hi Zeynab, using purely ECMP you cannot have a even distribution of traffic , think about ECMP distribution algoritms as LACP hashing.. once an egress path it's been selected the session has stickiness with that path to avoid all sort of asymmetric routing pitfalls. so if one user/session it's a file trasfer with egress interface A and another user/session it's a http request with egress interface B you obviously have different traffic counters.. every new session it's evaluated with ECMP algo and eventually distributed among route paths but not only at the inception FGT has a good description here allthougt it's referring to 5.2 http://help.fortinet.com/...adv_static_example.htm note that ECMP on > 5.4 has more algos but the logic it's the same config system virtual-wan-link set load-balance-mode {source-ip-based weight-based usage-based source-dest-ip-based measured-volume-based} if you want a better (but again it's hard to have a even distribution) you can use the SD-WAN features where you have more dynamic control of egress sessions using SD-WAN policies and service rules: http://help.fortinet.com/...Top_VirtualWANLink.htm Regards, Antonio

View solution in original post

ede_pfau
Esteemed Contributor III

hello,

 

first off, load sharing is done on a per-session basis. Sessions are distributed evenly in a ECMP setup. It may be that not all sessions carry the same load or live for the same time; only a longer statistics period will tell.

Maybe you'll feel better if you influence the distribution algorithm to prefer one link (weighted round-robin). For this, noting that 'priority' in FortiOS means 'cost', you would for example, assign a priority of 10 to the fiber link and 20 to the two other routes. Again, this ratio will only be reflected in sessions so you will see it easily with a lot of short sessions, like HTTP(S) from a lot of users.

 

Distribution is done according to a hash across the source and destination IPs (AFAIR). This could have an influence also - just a few hosts connecting to just a few destinations would create a disbalance in load sharing, away from 1/3rd for each link.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
2 REPLIES 2
Antonio_Milanese
Contributor

hi Zeynab, using purely ECMP you cannot have a even distribution of traffic , think about ECMP distribution algoritms as LACP hashing.. once an egress path it's been selected the session has stickiness with that path to avoid all sort of asymmetric routing pitfalls. so if one user/session it's a file trasfer with egress interface A and another user/session it's a http request with egress interface B you obviously have different traffic counters.. every new session it's evaluated with ECMP algo and eventually distributed among route paths but not only at the inception FGT has a good description here allthougt it's referring to 5.2 http://help.fortinet.com/...adv_static_example.htm note that ECMP on > 5.4 has more algos but the logic it's the same config system virtual-wan-link set load-balance-mode {source-ip-based weight-based usage-based source-dest-ip-based measured-volume-based} if you want a better (but again it's hard to have a even distribution) you can use the SD-WAN features where you have more dynamic control of egress sessions using SD-WAN policies and service rules: http://help.fortinet.com/...Top_VirtualWANLink.htm Regards, Antonio

ede_pfau
Esteemed Contributor III

hello,

 

first off, load sharing is done on a per-session basis. Sessions are distributed evenly in a ECMP setup. It may be that not all sessions carry the same load or live for the same time; only a longer statistics period will tell.

Maybe you'll feel better if you influence the distribution algorithm to prefer one link (weighted round-robin). For this, noting that 'priority' in FortiOS means 'cost', you would for example, assign a priority of 10 to the fiber link and 20 to the two other routes. Again, this ratio will only be reflected in sessions so you will see it easily with a lot of short sessions, like HTTP(S) from a lot of users.

 

Distribution is done according to a hash across the source and destination IPs (AFAIR). This could have an influence also - just a few hosts connecting to just a few destinations would create a disbalance in load sharing, away from 1/3rd for each link.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors