Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Lucas_Piris
New Contributor

Created on ‎08-11-2015 06:51 PM

HA with load balance all retransmission

Hi,

 

We have a Fortigate HA with load balance all enabled, and we are monitoring the behavior, and I can see many retransmissions between slave and master, just when the slave unit process the packet, see this picture:

 

Anyone known if this is normal? when we have load balance all enabled?

  

Regars

Lucas

 

9510
0 Kudos
12 REPLIES 12
Lucas_Piris
New Contributor
In response to vjoshi_FTNT

Created on ‎08-17-2015 06:59 AM

But without the load balance, I do not have any advantage using active-active, right? I do not have this UTM HA.

 

vjoshi wrote:

Hello Lucas,

 

Weird, I expect it to happen, but without any traffic doesn't seem to be correct.

 

I would recommend not to use the load balance all, instead use the virtual cluster for effective load sharing.

 

 

2052
0 Kudos
Jan_Scholten
Contributor

Created on ‎08-18-2015 12:46 AM

A/A still works by load balancing UTM (AV/IPS) stuff to the second Fortigate.

 

Load-Balance all trys to load balance even single TCP sessions to the secondary Fortigate.

The overhead needed for that (New TCP SYN is coming to fgt master, replicate that session over HA link to the secondary FGT ...) is in general more expensive than the acceleration you may gain. 

There may be some corner cases where load balance all makes sense (lots of elephant flows?) but in general: do not do it.

 

If you thought about using HA as "twice the firewalls, twice the performance" you will have a hard time.

There was a concept of independent firewalls(clusters) which synchronize their sessions, but i can't find the paper.

 

 

2052
0 Kudos
vjoshi_FTNT
Staff
Staff

Created on ‎08-19-2015 10:25 PM

Hello Lucas, The real advantage of the a-a HA load balancing can be seen with UTM. If you do not have UTM, then there is no real benefit of load balancing. As Jan said in the previous post, the overhead is more than the load sharing benefit you get out of it. As I mentioned in earlier posts, if you want a real load sharing between the two devices for all the sessions(with and without UTM), virtual clustering which is possible with VDOMs where each VDOM is served by one unit.

 

 

2052
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.