Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
greminn
New Contributor III

Load Balancing POP/IMAP and CPU/Memory Load/Usage

Hi There, We have setup a testing Load Balance (First Alive) for POP/IMAP from the wan virtual IP to 2 lan servers. The first server is our primary server with the most resources available and the second server is a backup server with less resource. Up until now we have used a manual fail over (if primary offline, add IP to backup). We recieve around 20k emails a day and have 400+ customers POPing/IMAPing. Now that we have found Fortigate Load Balancing (!!) we would like to use this for automating the fail over! My question is, what sort of CPU load or Memory usage is this likely to put on the firewall? PS: We are using a 100A Simon
11 REPLIES 11
ede_pfau
Esteemed Contributor III

I' d say nearly none. The only load you add is the alive check process which will be triggered every XX seconds. I' ve set this up with web servers (nice for failover because of the short sessions) and it worked immediately like a charm. You could stop the httpd process on one server for maintenance and nobody ever noticed. The manual failover suffers a lot from having to establish the second MAC address into the MAC tables of the next switch. This causes offline periods up to 180 seconds at worst. None of this with LB.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
greminn
New Contributor III

Thanks for the reply Ede... One more quick question please: The virtual load balance IP is setup for our wan2 port (providing pop/imap services to the internets)... is there a way to allow access from our servers on dmz1? Thanks Simon
ede_pfau
Esteemed Contributor III

hmmm, you mean you' ve tried to contact the WAN VIP from your DMZ and that didn' t work? You need a policy dmz->WAN of course. If that doesn' t work (I cannot try that one out at the moment) then try this (read this on the forums a while ago): define the VIP on the ' any' interface, not on ' WAN' .

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
greminn
New Contributor III

Yes... I already have a DMZ -> wan policy (all/any). I had a look at adding the virtual server to the ' any' interface, but it seems you have to tie it to a real interface... As these are the only ones in the list... Can it only be done via cli maybe? Thanks Simon
rwpatterson
Valued Contributor III

Try from WAN->LB, source subnet the internal (LAN) subnet, with NAT enabled. Sounds weird, but a similar setup worked on a 60AM a while back for me.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
greminn
New Contributor III

Hmm.. still not working. A note here is that we have a /24 real world IP addresses behind DMZ1 (where all our real servers are) and our main connection to the internets is WAN2 (also where the Load Balancing Virtual Server IP is). The Load Balancing Virtual Server IP is in the same /24 as the real world servers in DMZ1. Could this be effecting access to the Virtual Server IP on WAN2 from a server in DMZ1?
rwpatterson
Valued Contributor III

I would think so. The load balance IP should be on the interface that' s nearest the source traffic (WAN2). The FGT will take the outside virtual IP, and use that to load balance to the inside servers seamlessly.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
ede_pfau
Esteemed Contributor III

This is getting weird...you are trying to contact the VIP on the WAN2 interface translating it' s DMZ subnet address to real servers in the DMZ within the same subnet? next question, from where are you trying to get to the servers? If this is really worth it, please make a quick sketch of your LAN setup, with 2 real servers, the VIP, the FGT, the WAN lines and the client. Maybe then I can find a way to understand that setup...

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
greminn
New Contributor III

Things are getting weird! Love it :) Not near something I can draw with... Unless you count mustard and ketchup? So maybe outlining it better might assist... Our /24 is 182.xxx.xxx.0 and the basic network is as follows: internets <> wan2 <> fortigate <> dmz1 <> servers - Load balance VIP is 182.xxx.xxx.22 on wan2 (available to Internet). - The LB VIPs real servers are 182.xxx.xxx.40 & 182.xxx.xxx.41 these are real world servers in dmz1. - I have other real world servers in dmz1 (182.xxx.xxx.30 for example) which I would like to be able to connect to 182.xxx.xxx.22 (the LB VIP). Mustard and ketchup diagram available to order... Cheers Simon
Labels
Top Kudoed Authors