Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nusaka
New Contributor

Created on ‎04-30-2024 01:17 AM

SDWAN HA failover time

Hi all,

I have a spoke site A and spoke B and I'm testing failover speeds by running a constant ping from site A to site B, then rebooting the primary fortigate to simulate a failover.

Both sites are running with a HA pair. In the past I've seen it take over 2 minutes for the ping to respond when forcing a failover, but I'm currently getting about 5/6 ping drops, will this impact user traffic in a production environment?

Also I am wondering if a reboot is not the best test? A hard power down might be better?

Firmware 7.2.8

10.0.0.0.1 192.168.1.254
10.0.0.0.1 192.168.1.254
Labels:
249
0 Kudos
2 REPLIES 2
atakannatak
New Contributor III

Created on ‎04-30-2024 02:52 AM Edited on ‎04-30-2024 02:53 AM

Hello @nusaka ,

 

There are several parameters that can affect failover time in your network structure, which seems to consist of at least one hub and two spokes. Here's a visualization of the nearest best practice approach:

 

Simple Topology.png

 

1-Ensure IP connectivity of your private blocks over the internet, typically achieved using IPsec.

2- Each spoke location should have two internet connections, with IPsec established between the hub and spokes.

3- Establish IP connectivity between spokes and the hub.

4- Configure dynamic routing under your IPsec tunnel to handle private network announcements and network connectivity loss.

 

https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/632796/ospf-with-ipsec-vpn-for-network-...

 

https://community.fortinet.com/t5/FortiGate/Technical-Note-Dynamic-routing-BGP-over-IPsec-tunnel/ta-...

 

5-Configure SD-WAN with performance SLA targets to monitor IPsec tunnels for metrics like delay, jitter, and packet loss.
6-Enable session pick-up capability to ensure TCP sessions remain on the passive device.

 

 https://docs.fortinet.com/document/fortigate/7.4.3/fortigate-7000e-administration-guide/66351/sessio...

 

This describes the best practice topology for handling routing and reachability between spokes and a hub, minimizing client impact during failover such as nearly zero downtime. It emphasizes the importance of network stability and setting up infrastruccture to be fully redundant from every perspective of network design.

 

PS: Avoid power-down tests for failover scenarios and instead consider methods like disabling the primary IPsec tunnel interface or forcing HA failover by using "execute ha failover set " commmand.

 

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

Atakan Atak
Atakan Atak
229
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎04-30-2024 02:57 AM

Hi Nusaka

You may be able to reduce the fail-over delay this in SD-WAN's performance SLA section.

 

sla.png

 

A fail-over may impact user connection depending on how critical internet connection is, but I hope your ISP is reliable and doesn't fail frequently, otherwise you may change it.

Rebooting FG and SD-WAN fail-over are not the same test and don't have the same purpose, so I don't think we can say one is better then the other.

AEK
AEK
222
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.