Dear All,
I would like to know if during the hello-holddown's 'hello state' there is forwarding traffic, or it only happens after this timer reaches the working state. (the name 'working' suggests there is no forwarding (only ha) before it and it measured in seconds with the lowest value of 5).
So the failover switching time from the perception to the public traffic again will be something like this (in worst case the failure happens just right after a heartbeat packet):
hb-interval(def 200ms) * hb-lost-threshold (def. 6) + hello-holddown( def. 20sec) = 21,2 sec
And in case of a fortigate 600E changing the values to the lowest possible one, it can be decreased to 100ms*1+5 = 5,1sec ?
Could you please tell me if I am right?
Thank you
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
The hello hold down is for the HA heartbeat. The traffic should switch immediately. Of course, it depends on what traffic we are speaking of, since some sessions are not getting synchronized, and they need to re-establish, and also it depends on the routing recovery if there are dynamic routing/path vector protocols involved like OSPF and BGP. And for the latter reason, session recovery can not have guarantee times.
The timers you mentioned are for the cluster to establish and become in-sync between the cluster members. Please check the below documentation that has examples and details about what these 3 settings that you mentioned do. In general, if the Fortigates have some difficulty to form the cluster after a failover (or some other rare cases) then you may look to adjust these settings.
If you see a behaviour that does not look normal, i would suggest creating a ticket with the TAC.
Fortigate CLI reference - system ha
https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/480224/system-ha
Fortinet Documentation - Modifying heartbeat timing
https://docs.fortinet.com/document/fortigate-6000/6.4.6/fortigate-6000-handbook/896243/modifying-hea...
Fortinet Documentation - Session failover
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/786852/session-failover
Cheers
Hello,
The hello hold down is for the HA heartbeat. The traffic should switch immediately. Of course, it depends on what traffic we are speaking of, since some sessions are not getting synchronized, and they need to re-establish, and also it depends on the routing recovery if there are dynamic routing/path vector protocols involved like OSPF and BGP. And for the latter reason, session recovery can not have guarantee times.
The timers you mentioned are for the cluster to establish and become in-sync between the cluster members. Please check the below documentation that has examples and details about what these 3 settings that you mentioned do. In general, if the Fortigates have some difficulty to form the cluster after a failover (or some other rare cases) then you may look to adjust these settings.
If you see a behaviour that does not look normal, i would suggest creating a ticket with the TAC.
Fortigate CLI reference - system ha
https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/480224/system-ha
Fortinet Documentation - Modifying heartbeat timing
https://docs.fortinet.com/document/fortigate-6000/6.4.6/fortigate-6000-handbook/896243/modifying-hea...
Fortinet Documentation - Session failover
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/786852/session-failover
Cheers
Thank you very much for your answer!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.