Hi,
We have a Fortigate HA with load balance all enabled, and we are monitoring the behavior, and I can see many retransmissions between slave and master, just when the slave unit process the packet, see this picture:
Anyone known if this is normal? when we have load balance all enabled?
Regars
Lucas
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
But without the load balance, I do not have any advantage using active-active, right? I do not have this UTM HA.
vjoshi wrote:Hello Lucas,
Weird, I expect it to happen, but without any traffic doesn't seem to be correct.
I would recommend not to use the load balance all, instead use the virtual cluster for effective load sharing.
A/A still works by load balancing UTM (AV/IPS) stuff to the second Fortigate.
Load-Balance all trys to load balance even single TCP sessions to the secondary Fortigate.
The overhead needed for that (New TCP SYN is coming to fgt master, replicate that session over HA link to the secondary FGT ...) is in general more expensive than the acceleration you may gain.
There may be some corner cases where load balance all makes sense (lots of elephant flows?) but in general: do not do it.
If you thought about using HA as "twice the firewalls, twice the performance" you will have a hard time.
There was a concept of independent firewalls(clusters) which synchronize their sessions, but i can't find the paper.
Hello Lucas, The real advantage of the a-a HA load balancing can be seen with UTM. If you do not have UTM, then there is no real benefit of load balancing. As Jan said in the previous post, the overhead is more than the load sharing benefit you get out of it. As I mentioned in earlier posts, if you want a real load sharing between the two devices for all the sessions(with and without UTM), virtual clustering which is possible with VDOMs where each VDOM is served by one unit.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1731 | |
1099 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.