Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
HT_JDC
New Contributor II

Created on ‎10-20-2024 11:04 PM

SD-WAN: Recovery takes much time at 1-line disconnection, using IPsec aggregation

Dear Experts,

 

Here is my story for SD-WAN IPsec aggregation.

 

Fig2.png

 

The 2nd line is disconnected and it is kept (disconnected).

Temporarily whole SD-WAN line is disconnected. I understand it.

However, recovery takes much time (more than 3-5 minutes).

Can we shorten this time?

 

Thanks in advance,

Labels:
405
0 Kudos
4 REPLIES 4
Raghu_Kumar
Staff
Staff

Created on ‎10-21-2024 01:23 PM

Hello,

The delay in recovery when one line disconnects in your SD-WAN IPsec aggregation setup could be caused by multiple factors, such as the link health check interval, the failover threshold, or the way the sessions are handled during failover. To reduce this delay, you can try the following steps:

Adjust Health Check Settings: Shorten the link health check interval under Performance SLA to ensure quicker detection of the downed link.

Session Persistence: Make sure session failover settings (session pickup) are enabled to prevent session interruptions during the transition between lines.

Set Lower Thresholds: Reduce the failover threshold to ensure the failover triggers more quickly.


By optimizing these settings, you should be able to reduce the failover time and improve overall recovery speed.

If still you are facing issue. This might require deep troubleshooting via remote session. Open a ticket with Fortinet.



Raghuram Kumar
360
0 Kudos
HT_JDC
New Contributor II
In response to Raghu_Kumar

Created on ‎10-21-2024 09:35 PM

Dear Raghu_Kumar,

 

Thanks for your reply. Excuse me for basic questions.

 

>Session Persistence: Make sure session failover settings (session pickup) are enabled to prevent session interruptions during the transition between lines.

 

How can we configure them? Please tell me how to do it.

 

>Set Lower Thresholds: Reduce the failover threshold to ensure the failover triggers more quickly.

 

The same situation. I do no

 

All are configured by CLI?

 

Thanks in advance and Best regards,

 

332
0 Kudos
HT_JDC
New Contributor II
In response to HT_JDC

Created on ‎10-23-2024 09:06 PM

Dear Experts,

 

I tried several things such as changing values of parameters seen in CLI, including IPsec aggregation algorithm, however, I do not see any improvements. In almost cases, it takes about 100s to recover.

(I judge it, by seeing continuous ping results between PC1 and PC2.)

 

Any ideas?

 

Thanks in advance,

282
0 Kudos
HT_JDC
New Contributor II
In response to HT_JDC

Created on ‎10-29-2024 01:41 AM

Dear Experts,

 

I tried a lot.

Change of IPsec DPD parameter could decrease the recovery time.

 

DPD.PNG

I changed retry interval as 1 sec.

 

I would like to know the influence by changing the value.

 

Thanks in advance,

 

202
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.