Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Logesh08
New Contributor

Created on ‎06-15-2023 07:20 AM

Fortinet Failover

Hello Everyone,

I am using device model 200 F. When failover happens from primary to secondary it takes 2 seconds. But the failover from secondary to primary takes 30 seconds.  

 

any suggestion pls.

Labels:
3142
0 Kudos
14 REPLIES 14
aguerriero
Contributor II

Created on ‎06-15-2023 08:00 AM

you may need to enable session-pickup in your HA configuration.

set session-pickup enable
set session-pickup-connectionless enable

On ipsec tunnels you may need to add
set ha-sync-esp-seqno enable

2022
0 Kudos
Logesh08
New Contributor
In response to aguerriero

Created on ‎06-15-2023 08:50 AM

Hi,

 

Thank you for your reply. Those are already enabled.

1999
0 Kudos
Stephen_Daniel
Staff
Staff

Created on ‎06-15-2023 08:07 AM

Do you mean traffic not passing when doing failback from secondary to primary?
Do you have BGP configured on FGT? If yes, routes are present after failback?

Verify connected switches has learnt the MAC of FGT in new switch port.
You can use below hatalk debugs to see the status of failover event and gratuitous ARP sent by FGT Primary(new master)

di de di
di de reset
di de app hatalk -1
di de console timestamp enable
di de en

(Run the above debugs on both devices and perform the failover failback activity)

2018
0 Kudos
Logesh08
New Contributor
In response to Stephen_Daniel

Created on ‎06-15-2023 08:49 AM

Hi, Thank you for the update. Everything seems working but failover from secondary to primary takes 30 secs.

2001
0 Kudos
aguerriero
Contributor II
In response to Logesh08

Created on ‎06-15-2023 08:53 AM Edited on ‎06-15-2023 09:03 AM

He mentioned failover or failback.

The first failover when all sessions are synced should be fast.

If you have override enabled for HA primary then you have to wait for the configurations, states, sessions, ... to sync before the primary will take over again.

1994
0 Kudos
Logesh08
New Contributor
In response to aguerriero

Created on ‎06-15-2023 09:17 AM

Hi, Thank you. do you have how to reduce the time for failback?

1974
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎06-15-2023 09:03 AM Edited on ‎06-15-2023 09:07 AM

First of all, how are you measuring those 2 and 30 sec? And how are you exactly simulating/triggering a fail-over and fail-back? 30 sec is generally the default delay timer if your switch port has port-fast disabled. Wondering if you're disconnecting the eth cable connected to a switch to simulate the primary failure. 

 

Toshi

 

Toshi

1988
0 Kudos
Logesh08
New Contributor
In response to Toshi_Esumi

Created on ‎06-15-2023 09:20 AM

Hi, Thank you. 

 

we are simulating the failover by shutting the LACP ports on the primary firewall and we saw only 1 packet drop. But when we do a failback by unshut the ports on primary. This time it takes 25 to 30 drop packets.

1972
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Logesh08

Created on ‎06-15-2023 09:27 AM

What is the other end of the LACP ports? Check the log on the device when you unshut the ports on the primary FGT to see if they take 30 sec to come back up or immediate.

1967
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.