5.3 Reliable Communication Links

The units in an HA domain can use the following three types of communication links to exchange their status messages to ensure the high reliability of the communication.

• Fast Failover (FFO) Link
• Primary Link
• Secondary Link

The FFO link is established by directly connecting two HA units’ FFO ports through a dedicated FFO cable. Therefore, it can only be used for the Active/Active and Active/Standby deployment scenarios with two units. By default, the FFO link is disabled. The main functions of the FFO link are as follows:

• Heartbeat packet transmission: When the HA function is running, the local unit can use the FFO link to send the heartbeat packets to detect the peer unit’s status.
• Bootup Synconfig: When the FFO link and Bootup Synconfig are both enabled, the local unit can synchronize the HA unit and link configurations from the peer unit.
• Fast Failover: When the local unit is down, the peer unit can perform fast failover through the FFO link.

The primary and secondary links are also called network links, because both of them connect the two units through ordinary network cables. Only one primary link can be established between any two units, while at most 31 secondary links are allowed between any two units. By defaults, the network links are enabled.

After adding multiple units for an HA domain, the system will establish primary link connections between each two units automatically. The main functions of the primary link are as follows:

• Heartbeat packet transmission: The local unit can send the heartbeat packets to its peer units through the primary link to detect the peer units’ status.
• Bootup Synconfig: With both Bootup Synconfig and the HA function enabled, the local unit can synchronize the configurations (except HA link configurations) from the peer units. This behavior is the same as executing the command “synconfig from”.
• Runtime Synconfig: With Runtime Synconfig enabled, when the configurations (such as HA, SLB and IP pool) of the local unit are modified, the unit can synchronize the modifications to the peer units via the primary link. This behavior is the same as executing the command “synconfig to”.

The secondary link is optional and just used for heartbeat packets transmission. The administrator has to manually set up the same secondary link configurations on the local unit and the peer units. Please be noted that to establish a secondary link between two units, you need to configure a secondary link with the same ID on the two units respectively.

For example, the IP address of two HA units “u1” and “u2” are 192.168.1.1 and 192.168.1.2 respectively. To establish a secondary link between the two units, the following two commands must be executed on both units:

FortiBalancer(config)#ha link network secondary u1 1 192.168.1.1 65521

FortiBalancer(config)#ha link network secondary u2 1 192.168.1.2 65521

After the above configurations are finished on both units, a secondary link with ID “1” is established between “u1” and “u2”.

The table below shows the differences and similarities among the three types of HA communication links.

Table 5-1 Differences and Similarities Among the HA Links