we have a 200D Fortigate in my company, until this week we have 2 ISP and 2 default route to internet and they work fine.
this week we got a new internet link .i write a new default route for this link with administrative distance 10 and priority 0 as like as old default routes. so there is not any deference between default routes, and then write a policy for new link as like as old policies
but it seems fortigate device can not send traffic to ISPs like each other, i reset policy counter and i see deference between bytes sent so new link transfer a little traffic and most of time not used its bandwidth
i attach my policy picture . i want my fortigate device sent traffic to internet from all ISP links what is my mistake? and what i should do to correct my fault?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
hi Zeynab, using purely ECMP you cannot have a even distribution of traffic , think about ECMP distribution algoritms as LACP hashing.. once an egress path it's been selected the session has stickiness with that path to avoid all sort of asymmetric routing pitfalls. so if one user/session it's a file trasfer with egress interface A and another user/session it's a http request with egress interface B you obviously have different traffic counters.. every new session it's evaluated with ECMP algo and eventually distributed among route paths but not only at the inception FGT has a good description here allthougt it's referring to 5.2 http://help.fortinet.com/...adv_static_example.htm note that ECMP on > 5.4 has more algos but the logic it's the same config system virtual-wan-link set load-balance-mode {source-ip-based weight-based usage-based source-dest-ip-based measured-volume-based} if you want a better (but again it's hard to have a even distribution) you can use the SD-WAN features where you have more dynamic control of egress sessions using SD-WAN policies and service rules: http://help.fortinet.com/...Top_VirtualWANLink.htm Regards, Antonio
hello,
first off, load sharing is done on a per-session basis. Sessions are distributed evenly in a ECMP setup. It may be that not all sessions carry the same load or live for the same time; only a longer statistics period will tell.
Maybe you'll feel better if you influence the distribution algorithm to prefer one link (weighted round-robin). For this, noting that 'priority' in FortiOS means 'cost', you would for example, assign a priority of 10 to the fiber link and 20 to the two other routes. Again, this ratio will only be reflected in sessions so you will see it easily with a lot of short sessions, like HTTP(S) from a lot of users.
Distribution is done according to a hash across the source and destination IPs (AFAIR). This could have an influence also - just a few hosts connecting to just a few destinations would create a disbalance in load sharing, away from 1/3rd for each link.
hi Zeynab, using purely ECMP you cannot have a even distribution of traffic , think about ECMP distribution algoritms as LACP hashing.. once an egress path it's been selected the session has stickiness with that path to avoid all sort of asymmetric routing pitfalls. so if one user/session it's a file trasfer with egress interface A and another user/session it's a http request with egress interface B you obviously have different traffic counters.. every new session it's evaluated with ECMP algo and eventually distributed among route paths but not only at the inception FGT has a good description here allthougt it's referring to 5.2 http://help.fortinet.com/...adv_static_example.htm note that ECMP on > 5.4 has more algos but the logic it's the same config system virtual-wan-link set load-balance-mode {source-ip-based weight-based usage-based source-dest-ip-based measured-volume-based} if you want a better (but again it's hard to have a even distribution) you can use the SD-WAN features where you have more dynamic control of egress sessions using SD-WAN policies and service rules: http://help.fortinet.com/...Top_VirtualWANLink.htm Regards, Antonio
hello,
first off, load sharing is done on a per-session basis. Sessions are distributed evenly in a ECMP setup. It may be that not all sessions carry the same load or live for the same time; only a longer statistics period will tell.
Maybe you'll feel better if you influence the distribution algorithm to prefer one link (weighted round-robin). For this, noting that 'priority' in FortiOS means 'cost', you would for example, assign a priority of 10 to the fiber link and 20 to the two other routes. Again, this ratio will only be reflected in sessions so you will see it easily with a lot of short sessions, like HTTP(S) from a lot of users.
Distribution is done according to a hash across the source and destination IPs (AFAIR). This could have an influence also - just a few hosts connecting to just a few destinations would create a disbalance in load sharing, away from 1/3rd for each link.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.