Session-Aware Load Balancing Cluster Guide

About Session-Aware Load Balanced Clusters (SLBCs)
SLBC FortiController models
- FortiController-5103B
- FortiController-5903C
- FortiController-5913C
Getting started and SLBC Basics
- SLBC licensing
  - FortiOS Carrier licensing
  - Certificates
- Changing FortiController interface configurations
- Quick SLBC cluster setup
- Managing the cluster
- Monitoring the cluster
- Worker communication with FortiGuard
- Basic cluster NAT/Route mode configuration
  - Using the GUI to configure NAT/Route mode
  - Using the CLI to configure NAT/Route mode
- Primary unit (master) selection
  - Selecting the primary FortiController (and the primary chassis)
  - Selecting the primary worker
- Adding and removing workers
  - Adding one or more new workers
  - Removing a worker from a cluster
- Adding link aggregation (LACP) to an SLBC cluster (FortiController trunks)
  - Adding an aggregated interface
- Individual FortiAnalyzer settings on each worker
  - Configuring different FortiAnalyzer settings for each SLBC worker
  - Configuring different FortiAnalyzer settings for each worker and for the root VDOM of each worker
- Adding VLANs
  - Adding a VLAN to a FortiController interface
- VRRP support
- FGCP to SLBC migration
  - Assumptions
  - Conversion steps
- Updating SLBC firmware
Configuring communication between FortiControllers
- Changing the base control subnet and VLAN
- Changing the base management subnet and VLAN
- Changing the heartbeat VLAN
- Using the FortiController-5103B mgmt interface as a heartbeat interface
- Changing the heartbeat interface mode
- Enabling session sync and configuring the session sync interface
Changing load balancing settings
- Tuning TCP load balancing performance (TCP local ingress)
- Tuning UDP load balancing (UDP local ingress and UDP remote/local session setup)
- Changing the load distribution method
- TCP and UDP local ingress session setup and round robin load balancing
- Changing how UDP sessions are processed by the cluster
- Tuning load balancing performance: fragmented sessions
- Changing session timers
Life of a TCP packet
- Life of a TCP packet (default configuration: TCP local ingress disabled)
- Life of a TCP packet (TCP local ingress enabled)
Life of a UDP packet
- Life of a UDP packet (default configuration: UDP local ingress disabled and UDP remote session setup)
- Life of a UDP packet (UDP local ingress disabled and UDP local session setup)
- Life of a UDP packet (UDP local ingress enabled and UDP remote session setup)
- Life of a UDP packet (UDP local ingress enabled and UDP local session setup)
SLBC with one FortiController-5103B
- Setting up the hardware
- Configuring the FortiController
- Adding the workers to the cluster
- Operating and managing the cluster
Active-Passive SLBC with two FortiController-5103Bs
- Setting up the hardware
- Configuring the FortiControllers
- Adding the workers to the cluster
- Operating and managing the cluster
Dual mode SLBC with two FortiController-5103Bs
- Setting up the Hardware
- Configuring the FortiControllers
- Adding the workers to the cluster
- Operating and managing the cluster
Active-passive SLBC with two FortiController-5103Bs and two chassis
- Setting up the hardware
- Configuring the FortiController in chassis 1
- Configuring the FortiController in chassis 2
- Adding the workers to the cluster
- Operating and managing the cluster
- Checking the cluster status
Active-passive SLBC with four FortiController-5103Bs and two chassis
- Setting up the hardware
- Configuring the FortiController in chassis 1 slot 1
- Configuring the FortiController in chassis 1 slot 2
- Configuring the FortiController in chassis 2 slot 1
- Configuring the FortiController in chassis 2 slot 2
- Configuring the cluster
- Adding the workers to the cluster
- Operating and managing the cluster
- Checking the cluster status
Dual mode SLBC with four FortiController-5103Bs and two chassis
- Setting up the hardware
- Configuring the FortiController in chassis 1 slot 1
- Configuring the FortiController in chassis 1 slot 2
- Configuring the FortiController in chassis 2 slot 1
- Configuring the FortiController in chassis 2 slot 2
- Configuring the cluster
- Adding the workers to the cluster
- Operating and managing the cluster
- Checking the cluster status
Dual mode SLBC with four FortiController-5903Cs and two chassis
- Setting up the hardware
- Configuring the FortiController in Chassis 1 Slot 1
- Configuring the FortiController in chassis 1 slot 2
- Configuring the FortiController in chassis 2 slot 1
- Configuring the FortiController in chassis 2 slot 2
- Configuring the cluster
- Adding the workers to the cluster
- Operating and managing the cluster
- Checking the cluster status
Dual mode SLBC HA with LAGs third-party switch example
AP mode single chassis SLBC with LAGs third-party switch example
AP mode SLBC HA with LAGs third-party switch example
FortiController get and diagnose commands
- get load-balance status
- diagnose system flash list
- diagnose system ha showcsum
- diagnose system ha stats
- diagnose system ha status
- diagnose system ha force-slave-state
- diagnose system load-balance worker-blade status
- diagnose system load-balance worker-blade session-clear
- diagnose switch fabric-channel egress list
- diagnose switch base-channel egress list
- diagnose switch fabric-channel packet heartbeat-counters list
- diagnose switch fabric-channel physical-ports
- diagnose switch fabric-channel mac-address list
- diagnose switch fabric-channel mac-address filter
- diagnose switch fabric-channel trunk list
FortiController/FortiSwitch MIBs
FortiController/FortiSwitch traps
FortiController/FortiSwitch MIB fields
Shelf manager traps
Shelf manager MIB fields
- Shelf manager IPM controller (OID 1.3.6.1.4.1.16394.2.1.1.1)
- Shelf manager FRU device (OID 1.3.6.1.4.1.16394.2.1.1.2)
- Shelf manager sensor (OID 1.3.6.1.4.1.16394.2.1.1.3)
- Shelf manager board (OID 1.3.6.1.4.1.16394.2.1.1.4)
- Shelf manager system event log (sel) (OID 1.3.6.1.4.1.16394.2.1.1.5)
- Shelf manager shelf (OID 1.3.6.1.4.1.16394.2.1.1.6)
- Shelf manager LAN configuration (OID 1.3.6.1.4.1.16394.2.1.1.7)
- Shelf manager platform event filter (PEF) (OIDs 1.3.6.1.4.1.16394.2.1.1.8 - 19)
- Shelf manager FRU info table (OID 1.3.6.1.4.1.16394.2.1.1.20)
- Shelf manager FRU device by site (OID 1.3.6.1.4.1.16394.2.1.1.21)
- Shelf manager FRU LED state (OID 1.3.6.1.4.1.16394.2.1.1.22)
- Shelf manager board basic (OID 1.3.6.1.4.1.16394.2.1.1.32)
- Shelf manager fan tray (OID 1.3.6.1.4.1.16394.2.1.1.33)
- Shelf manager power supply (OID 1.3.6.1.4.1.16394.2.1.1.34)
- Shelf manager shelf manager (OID 1.3.6.1.4.1.16394.2.1.1.35)
- Shelf manager chassis (OID 1.3.6.1.4.1.16394.2.1.1.36)
- Shelf manager events (OID 1.3.6.1.4.1.16394.2.1.1.37)
- Shelf manager shelf manager status (OID 1.3.6.1.4.1.16394.2.1.1.38)
- Shelf manager shelf manager version (OID 1.3.6.1.4.1.16394.2.1.1.39)
- Shelf manager telco alarm (OID 1.3.6.1.4.1.16394.2.1.1.40)
- Shelf manager SEL information (OID 1.3.6.1.4.1.16394.2.1.1.41)
FortiController/FortiSwitch SNMP links
Change log

Home FortiController 5.2.11 Session-Aware Load Balancing Cluster Guide

5.2.11

Changing session timers

Go to Load Balance > Session > Timer to view and change load balancing session timers. These timers control how long the FortiController waits before closing a session or performing a similar activity. In most cases you do not have to adjust these timers, but they are available for performance tuning. The range for each timer is 1 to 15,300 seconds.

Use the following command to change these timers from the CLI:

config load-balance session-age

set fragment 120

set pin-hole 120

set rsync 300

set tcp-half-close 125

set tcp-half-open 125

set tcp-normal 3605

set tcp-timewait 2

set udp 185

end

Four of these FortiController timers have corresponding timers in the FortiGate-5000 configuration. The FortiController timers must be set to values greater than or equal to the corresponding FortiGate-5000 timers.

The worker timers are (default values shown):

config global

config system global

set tcp-halfclose-timer 120

set tcp-halfopen-timer 120

set tcp-timewait-timer 1

set udp-idle-timer 180

end

The following timers are supported:

age-interval tcp normal	The time to wait without receiving a packet before the session is considered closed. Default 3605 seconds.
age-interval tcp timewait	The amount of time that the FortiController keeps normal TCP sessions in the TIME_WAIT state. Default is 2 seconds.
age-interval tcp half-open	The amount of time that the FortiController keeps normal TCP sessions in the HALF_OPEN state. Default is 125 seconds.
age-interval tcp half-close	The amount of time that the FortiController keeps normal TCP sessions in the HALF_CLOSE state. Default is 125 seconds.
age-interval udp	The amount of time that the FortiController keeps normal UDP sessions open after a packet is received. Default is 185 seconds.
age-interval pin-hole	The amount of time that the FortiController keeps pinhole sessions open. Default is 120 second.
age-interval rsync	When two FortiControllers are operating in HA mode, this timer controls how long a synced session can remain on the subordinate unit due to inactivity. If the session is active on the primary unit, rsync updates the session on the subordinate unit. So a long delay means the session is no longer active and should be removed from the subordinate unit. Default is 300 seconds.
age-interval fragment	To track fragmented frames, the FortiController creates fragmented sessions to track the individual fragments. Idle fragmented sessions are removed when this timer expires. Default is 120 seconds.