Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vrajendran
Staff
Staff

Created on ‎03-30-2016 12:43 AM

Article Id 196568

Technical Tip: HA override wait timer

Description
This article explains the override enable wait timer option to address issue when HA override option is enabled on Active-Passive deployment, during HA fall back the former master unit will reclaim back the master role and will cause network interruption.

With this override-wait-timer option configured under HA setting, it makes the former master unit wait for number of second before taking back the master role, this is to ensure that all the sessions and routing tables have been completely synced.

Solution
Non virtual cluster environment

Configure this option on the master unit where override is enabled which having higher priority, for non-virtual setup most of the time will be configure on the master unit.
# config system ha
     set override-wait-timer <n sec>
end
Here is an example of working HA setting
# config system ha
    set group-name "HA_cluster"
    set mode a-p
    set hbdev "port27" 100 "port28" 100
    set session-pickup enable
    set override enable              <<  ensure override is enable
    set override-wait-time 120       <<  enable this command
    set priority 200
Virtual cluster environment

On virtual cluster environment, some environment required to have VDOM running on passive or slave unit to make both device running at the same time sort of like Active-Active deployment in the matter of fact is still configure as Active-Passive.

Setting still the same and do applied to device that having higher priority, below is the sample of the setup.

Master HA setting
# config system ha
    set group-name "HA_cluster"
    set mode a-p
    set hbdev "port27" 100 "port28" 100
    set session-pickup enable
    set vcluster2 enable
    set override enable              <<  ensure override is enable
    set override-wait-time 120       <<  override-wait-time
    set priority 200
      config secondary-vcluster
        set override enable          <<  ensure override is enable
        set priority 100
        set monitor "port9" "port10"
        set vdom "WANFW"
      end
end
Slave HA setting.
# config system ha
    set group-name "HA_cluster"
    set mode a-p
    set hbdev "port27" 100 "port28" 100
    set session-pickup enable
    set vcluster2 enable
    set override enable               << ensure override is enable
    set priority 100
       config secondary-vcluster
          set override enable         << ensure override is enable
          set override-wait-time 120  << override-wait-time
          set priority 200
          set monitor "port9" "port10"
          set vdom "WANFW"
        end

11100
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.