Improving session sync performance
Two HA configuration options are available to reduce the performance impact of enabling session-pickup:
-
Reducing the number of sessions that are synchronized.
-
Using more FortiGate interfaces for session synchronization.
Reducing the number of sessions that are synchronized
When session pickup is enabled, new sessions are synced across cluster units. To reduce the number of synced sessions, enable the session-pickup-delay
option, which only syncs sessions active for more than 30 seconds. This can reduce syncs for clusters with many short sessions, like HTTP traffic.
Use the following commands to enable a 30-second delay:
config system ha set session-pickup-delay enable end
This may result in more sessions not resuming after a failover, but most short sessions can restart with minor interruption.
Using multiple FortiGate interfaces for session synchronization
The session-sync-dev
option allows you to choose one or more FortiGate interfaces for session synchronization, which is necessary for session pickup. Typically, session synchronization takes place over the HA heartbeat link. However, with this HA option, only the chosen interfaces are used for session synchronization, not the HA heartbeat link. If multiple interfaces are selected, the session synchronization traffic is load balanced among the selected interfaces.
Shifting session synchronization away from the HA heartbeat interface can reduce the bandwidth needed for HA heartbeat traffic, potentially enhancing the cluster’s efficiency and performance. This is particularly true if the cluster is synchronizing a large volume of sessions. Load balancing session synchronization across multiple interfaces can further boost performance and efficiency when dealing with a large number of sessions.
To perform cluster session synchronization using the port10 and port12 interfaces:
config system ha set session-sync-dev port10 port12 end
The interfaces chosen for session synchronization must be interconnected, either directly with the appropriate cable (if the cluster only contains two units) or through switches. If one of the interfaces becomes disconnected the cluster uses the remaining interfaces for session synchronization. If all of the session synchronization interfaces become disconnected, session synchronization reverts back to using the HA heartbeat link. All session synchronization traffic is between the primary unit and each subordinate unit.
Since large amounts of session synchronization traffic can increase network congestion, it is recommended to isolate this traffic from your network by using dedicated connections.