Just completed upgrading 3 active/passive pairs (2601F, 201E, 200F) from Fortimanager from 6.4.8 -> 6.4.9. I noticed on each one Fortimanager said the upgrade was complete before the final failover back to the primary node. I also noticed that the last failover during the upgrade causes a significant blip. Is this normal? The 2601F seemed to be impacted more maybe because this firewall had more sessions?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 06-09-2022 04:26 PM
Hello @khunsu ,
Thank you for posting your query on Fortinet Forum. As per my research, I have found the following settings under HA configuration can affect this behaviour.
====
config system ha
set session-pickup enable/disable
end
=======
" If you leave session pickup disabled, the cluster does not keep track of sessions and after a failover, active sessions have to be restarted or resumed. Most session can be resumed as a normal result of how TCP/IP communications resumes communication after any routine network interruption."
"
An advantage of using session pickup is that non-content inspection sessions will be picked up by the new primary unit after a failover. The disadvantage is that the cluster generates more heartbeat traffic to support session pickup as a larger portion of the session table must be synchronized. Session pickup should be configured only when required and is not recommended for use with SOHO FortiGate models. Session pickup should only be used if the primary heartbeat link is dedicated (otherwise the additional HA heartbeat traffic could affect network performance).
If session pickup is not selected, after a device or link failover all sessions are briefly interrupted and must be re-established at the application level after the cluster renegotiates. For example, after a failover, users browsing the web can just refresh their browsers to resume browsing. Users downloading large files may have to restart their download after a failover. Other protocols may experience data loss and some protocols may require sessions to be manually restarted. For example, a user downloading files with FTP may have to either restart downloads or restart their FTP client.
If you need to enable session pickup, consider enabling session-pickup-delay
to improve performance by reducing the number of sessions that are synchronized.
"
Reference :
https://docs.fortinet.com/document/fortigate/6.2.0/best-practices/50165/fgcp-high-availability
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/892490/if-session-pickup-is-disabled
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/786852/session-failover
Let me know if the above links help.
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.