Fortinet black logo

Session-Aware Load Balancing Cluster Guide

Configuring communication between FortiControllers

5.2.10
Copy Link
Copy Doc ID 31a89d05-200d-11e9-b6f6-f8bc1258b856:976692
Download PDF

Configuring communication between FortiControllers

SLBC clusters consisting of more than one FortiController use the following types of communication between FortiControllers to operate normally:

  • Heartbeat communication allows the FortiControllers in the cluster to find each other and share status information. If a FortiController stops sending heartbeat packets it is considered down by other cluster members. By default heartbeat traffic uses VLAN 999.
  • Base control communication between FortiControllers on subnet 10.101.11.0/255.255.255.0 using VLAN 301.
  • Base management communication between FortiControllers on subnet 10.101.10.0/255.255.255.0 using VLAN 101.
  • Session synchronization between FortiControllers in different chassis so that if one FortiController fails another can take its place and maintain active communication sessions. FortiController-5103B session sync traffic uses VLAN 2000. FortiController-5903C and FortiController-5913C session sync traffic between the FortiControllers in slot 1 uses VLAN 1900 and between the FortiControllers in slot 2 uses VLAN 1901. You cannot change these VLANs. Session sync synchronizes sessions between workers that have the same slot-id (e.g. chassis 1 slot 3 to chassis 2 slot 3). As a result of enabling session-sync if a fail-over occurs, the SLBC will use a best effort approach to maintain existing sessions.

If a cluster contains more than one FortiController you must connect their front panel B1 and B2 interfaces together for heartbeat and base control and management communication. You can also use the front panel Mgmt interface for this configuration.

A cluster with two chassis must include session synchronization connections among all of the FortiControllers.

  • For the FortiController-5103B you must connect one of the front panel F1 to F8 interfaces of all of the FortiController-5103Bs together. For example, in a FortiController-5103B cluster with two chassis you can connect the F8 interfaces of the FortiControllers in the cluster together.
  • For the FortiController-5903C and FortiController-5913C cluster you use the B1 and B2 interfaces for session synchronization connections.

See the two-chassis examples in this document for details. The requirements for these session sync connections depend on the type of cluster.

  • In a two chassis A-P mode cluster with two or four FortiController-5103Bs, the session sync ports of all FortiController-5103Bs (for example F8) must be connected to the same broadcast domain by connecting all of the F8 interfaces to the same switch.
  • In a FortiController-5103B two chassis dual mode cluster, session sync ports need to be 1-to-1 connected according to chassis slot. So F8 from the FortiController-5103Bs in chassis 1 slot 1 needs to be connected to F8 in chassis 2 slot 1. And, F8 in chassis 1 slot 2 needs to be connected to F8 in chassis 2 slot 2. Because these are 1 to 1 connections you can use patch cables to connect them. You can also make these connections through a switch.
  • In a two chassis A-P or dual mode cluster with two or four FortiController-5903Cs or FortiController-5913Cs, all of the B1 interfaces must all be connected to the same 10 Gbps switch. All of the B2 interfaces must all be connected to a different 10 Gbps switch. Connecting the B1 and B2 interfaces to the same switch is not recommended because it requires a double-tagging VLAN configuration.

Network equipment carrying this communication must be able to handle the traffic. This traffic uses VLANs and specific subnets so you may have to configure the network equipment to allow this communication.

Configuring communication between FortiControllers

SLBC clusters consisting of more than one FortiController use the following types of communication between FortiControllers to operate normally:

  • Heartbeat communication allows the FortiControllers in the cluster to find each other and share status information. If a FortiController stops sending heartbeat packets it is considered down by other cluster members. By default heartbeat traffic uses VLAN 999.
  • Base control communication between FortiControllers on subnet 10.101.11.0/255.255.255.0 using VLAN 301.
  • Base management communication between FortiControllers on subnet 10.101.10.0/255.255.255.0 using VLAN 101.
  • Session synchronization between FortiControllers in different chassis so that if one FortiController fails another can take its place and maintain active communication sessions. FortiController-5103B session sync traffic uses VLAN 2000. FortiController-5903C and FortiController-5913C session sync traffic between the FortiControllers in slot 1 uses VLAN 1900 and between the FortiControllers in slot 2 uses VLAN 1901. You cannot change these VLANs. Session sync synchronizes sessions between workers that have the same slot-id (e.g. chassis 1 slot 3 to chassis 2 slot 3). As a result of enabling session-sync if a fail-over occurs, the SLBC will use a best effort approach to maintain existing sessions.

If a cluster contains more than one FortiController you must connect their front panel B1 and B2 interfaces together for heartbeat and base control and management communication. You can also use the front panel Mgmt interface for this configuration.

A cluster with two chassis must include session synchronization connections among all of the FortiControllers.

  • For the FortiController-5103B you must connect one of the front panel F1 to F8 interfaces of all of the FortiController-5103Bs together. For example, in a FortiController-5103B cluster with two chassis you can connect the F8 interfaces of the FortiControllers in the cluster together.
  • For the FortiController-5903C and FortiController-5913C cluster you use the B1 and B2 interfaces for session synchronization connections.

See the two-chassis examples in this document for details. The requirements for these session sync connections depend on the type of cluster.

  • In a two chassis A-P mode cluster with two or four FortiController-5103Bs, the session sync ports of all FortiController-5103Bs (for example F8) must be connected to the same broadcast domain by connecting all of the F8 interfaces to the same switch.
  • In a FortiController-5103B two chassis dual mode cluster, session sync ports need to be 1-to-1 connected according to chassis slot. So F8 from the FortiController-5103Bs in chassis 1 slot 1 needs to be connected to F8 in chassis 2 slot 1. And, F8 in chassis 1 slot 2 needs to be connected to F8 in chassis 2 slot 2. Because these are 1 to 1 connections you can use patch cables to connect them. You can also make these connections through a switch.
  • In a two chassis A-P or dual mode cluster with two or four FortiController-5903Cs or FortiController-5913Cs, all of the B1 interfaces must all be connected to the same 10 Gbps switch. All of the B2 interfaces must all be connected to a different 10 Gbps switch. Connecting the B1 and B2 interfaces to the same switch is not recommended because it requires a double-tagging VLAN configuration.

Network equipment carrying this communication must be able to handle the traffic. This traffic uses VLANs and specific subnets so you may have to configure the network equipment to allow this communication.