Fortinet black logo

New Features

6.2.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0

Option to Disable Stateful SCTP Inspection

Option to Disable Stateful SCTP Inspection

You now have the option to disable stateful SCTP inspection. This option is useful when FortiGates are deployed in a High Availability (HA) cluster that uses the FortiGate Clustering Protocol (FGCP) and virtual clustering in a multihoming topology. In this configuration, the primary Stream Control Transmission Protocol (SCTP) path traverses the primary FortiGate node by using its active VDOM (for example, VDOM1), and the backup SCTP path traverses the other passive FortiGate node by using its active VDOM (for example VDOM2).

When stateful SCTP inspection is enabled, SCTP heartbeat traffic will fail via the backup path because the primary path goes through a different platform and VDOM. Since there is no state sharing between VDOMs, the passive FortiGate is not aware of the original SCTP session and drops the heartbeats because of no associated sessions.

You can now use the following command to disable stateful inspection of SCTP, which allows the passive node to permit the SCTP heartbeats to pass:

config sys settings

set sctp-session-without-init enable

end

When set to enable, SCTP session creation without SCTP INIT is enabled. When set to disable, SCTP session creation without SCTP INIT is disabled. The default setting is disabled.

Following is an example topology and scenario:

In this example, FGT_A and FGT_B are in HA a-p mode with two virtual clusters. Two primary devices exist on different FortiGate units. PC1 eth1 can access PC5 eth1 through Vdom1, and PC1 eth2 can access PC5 eth2 through Vdom2.

On PC5, listening for SCTP connection:

sctp_darn -H 172.16.200.55 -B 172.17.200.55 -P 2500 -l

On PC1, start SCTP connection:

sctp_darn -H 10.1.100.11 -B 20.1.100.11 -P 2600 -c 172.16.200.55 -c 172.17.200.55 -p 2500 -s

SCTP 4-way handshake is on one VDOM, and a session is created on that VDOM. With the default configuration, there is no session on any other VDOM, and the heartbeat on another path (another VDOM) is dropped. After enabling sctp-session-without-init, the other VDOM creates the session when it receives the heartbeat, and the heartbeat is forwarded.

Previous
Next

Option to Disable Stateful SCTP Inspection

You now have the option to disable stateful SCTP inspection. This option is useful when FortiGates are deployed in a High Availability (HA) cluster that uses the FortiGate Clustering Protocol (FGCP) and virtual clustering in a multihoming topology. In this configuration, the primary Stream Control Transmission Protocol (SCTP) path traverses the primary FortiGate node by using its active VDOM (for example, VDOM1), and the backup SCTP path traverses the other passive FortiGate node by using its active VDOM (for example VDOM2).

When stateful SCTP inspection is enabled, SCTP heartbeat traffic will fail via the backup path because the primary path goes through a different platform and VDOM. Since there is no state sharing between VDOMs, the passive FortiGate is not aware of the original SCTP session and drops the heartbeats because of no associated sessions.

You can now use the following command to disable stateful inspection of SCTP, which allows the passive node to permit the SCTP heartbeats to pass:

config sys settings

set sctp-session-without-init enable

end

When set to enable, SCTP session creation without SCTP INIT is enabled. When set to disable, SCTP session creation without SCTP INIT is disabled. The default setting is disabled.

Following is an example topology and scenario:

In this example, FGT_A and FGT_B are in HA a-p mode with two virtual clusters. Two primary devices exist on different FortiGate units. PC1 eth1 can access PC5 eth1 through Vdom1, and PC1 eth2 can access PC5 eth2 through Vdom2.

On PC5, listening for SCTP connection:

sctp_darn -H 172.16.200.55 -B 172.17.200.55 -P 2500 -l

On PC1, start SCTP connection:

sctp_darn -H 10.1.100.11 -B 20.1.100.11 -P 2600 -c 172.16.200.55 -c 172.17.200.55 -p 2500 -s

SCTP 4-way handshake is on one VDOM, and a session is created on that VDOM. With the default configuration, there is no session on any other VDOM, and the heartbeat on another path (another VDOM) is dropped. After enabling sctp-session-without-init, the other VDOM creates the session when it receives the heartbeat, and the heartbeat is forwarded.

Previous
Next