Fortinet black logo

Handbook

TCP and SCTP sessions

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:609031
Download PDF

TCP and SCTP sessions

Use the following to enable session synchronization for TCP and SCTP sessions and to configure the FGSP to use the port8 interface for synchronizing traffic:

config system ha

set session-pickup enable

set hbdev "port8" 50

end

Automatic session sync after peer reboot

You can configure your FGSP deployment to resume sessions more smoothly after a failed FortiGate rejoins the deployment. In some cases when a failed FortiGate comes back up it may begin processing sessions before the session table from the other FortiGate has been synchronized to it. When this happens, the FortiGate may drop packets until the session synchronization is complete.

Shutting down interfaces during session synchronization

This feature allows you to shut down some interfaces on the failed FortiGate when it starts up so that it will not accept packets until session synchronization is complete. Then the interfaces are brought up and traffic can flow. While the interfaces are down, the FortiGate that has not failed keeps processing traffic.

Use the following to select the interfaces to shutdown while waiting for session synchronization to complete:

config system cluster-sync

edit 1

set down-intfs-before-sess-sync port1 port2

end

Heartbeat monitoring

If the FortiGate that was running fails before session synchronization is complete, the FortiGate that is restarting will not be able to complete session synchronization and will not turn on its shutdown interfaces. To prevent this from happening, FGSP includes heartbeat monitoring. Using heartbeat monitoring, the FortiGate that is waiting for session synchronization to finish can detect that the other FortiGate is down and turn on its interfaces even if session synchronization is not complete. You can use the following to change the heartbeat interval (hb-interval) and lost heartbeat threshold (hp-lost-threshold) to change heartbeat monitoring timing:

config system cluster-sync

edit 1

set hb-interval 2

set hb-lost-threshold 3

end

TCP and SCTP sessions

Use the following to enable session synchronization for TCP and SCTP sessions and to configure the FGSP to use the port8 interface for synchronizing traffic:

config system ha

set session-pickup enable

set hbdev "port8" 50

end

Automatic session sync after peer reboot

You can configure your FGSP deployment to resume sessions more smoothly after a failed FortiGate rejoins the deployment. In some cases when a failed FortiGate comes back up it may begin processing sessions before the session table from the other FortiGate has been synchronized to it. When this happens, the FortiGate may drop packets until the session synchronization is complete.

Shutting down interfaces during session synchronization

This feature allows you to shut down some interfaces on the failed FortiGate when it starts up so that it will not accept packets until session synchronization is complete. Then the interfaces are brought up and traffic can flow. While the interfaces are down, the FortiGate that has not failed keeps processing traffic.

Use the following to select the interfaces to shutdown while waiting for session synchronization to complete:

config system cluster-sync

edit 1

set down-intfs-before-sess-sync port1 port2

end

Heartbeat monitoring

If the FortiGate that was running fails before session synchronization is complete, the FortiGate that is restarting will not be able to complete session synchronization and will not turn on its shutdown interfaces. To prevent this from happening, FGSP includes heartbeat monitoring. Using heartbeat monitoring, the FortiGate that is waiting for session synchronization to finish can detect that the other FortiGate is down and turn on its interfaces even if session synchronization is not complete. You can use the following to change the heartbeat interval (hb-interval) and lost heartbeat threshold (hp-lost-threshold) to change heartbeat monitoring timing:

config system cluster-sync

edit 1

set hb-interval 2

set hb-lost-threshold 3

end