Hello,
I have a Fortigate 200E with 3 WAN Links grouped in SD WAN virtual interface. Firewall is running FortiOS 5.6.3. The firewall is used for wifi internet access.
Today the firewall has dropped SD WAN links with this message :
The member(6) enters into conservative status with limited ability to receive new sessions for too muchtraffic.
The member(3) enters into conservative status with limited ability to receive new sessions for too muchtraffic.
The member(4) enters into conservative status with limited ability to receive new sessions for too muchtraffic.
After few minutes the SD WAN link has recovered and working fine again.
The firewall is ok with RAM and CPU resources, almost always below 20%, only App control is used ( No Antivirus, Web filtering, IPS, ... )
We have between 10000 and 50000 IP sessions shared over SD WAN interfaces. In order to minimize sessions in the firewall we use recursive DNS in internal firewall interfaces, so the clients does not open thousands of DNS sessions.
We have opened a support ticket , but waiting for reply.
Any idea with this issue?
Best regards,
Ricard
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
Did you open a ticket or got any explanation for this?
Starting to experience same behavior on 6.0.0 on 60E in lab, very low sessions numbers (~500), no memory or CPU peak at all.
Wondering if it's not an attempt/way to force balancing between the members based on volumes rules.
Thanks,
Stephane
Hello Ricard,
This particular error would be observed when the SD_WAN member/interface has consumed all its allocated volumes (based on the measured-volume load balance algorithm) and to find other members to accept the new sessions(So, the system can keep the volume balanced).
In your case, the SD_WAN member(6/3/4) consumed all its allocated volumes and enters into this represents an informative message about changing the wan link for the next sessions. Since this would work based on the predefined algorithm; we could overcome this scenario by identifying the maximum session initiating sources and creating specific SD_WAN rules with other members/interface, to make sure that the session would be load balanced between another SD_WAN member also.
For more information please refer to the below link:
http://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-networking/SD-WAN/SD-WAN_load_balanci...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.