Skip to main content
RJ1
RJ1
Explorer II
September 30, 2024
Solved

synchronise sessions between Fortigate devices in Azure in HA (active-passive)

  • September 30, 2024
  • 3 replies
  • 6231 views

I have Fortigates in Azure deployed as per below scenario:

 

Active-passive with external and internal Azure load balancer (LB)

 

Can session synchronization happen between Fortigates? If YES how? If NO Why?

 

Best answer by avinash_v

This is a known issue for the Azure load balancer. Even though a health probe failed, it will not re-route the existing sessions.
This is by design, intended to offer the administrator the opportunity to gracefully shutdown from the application to avoid any unexpected and sudden termination of ongoing application workflow.

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-creates-a-new-session-on-a/ta-p/327740

 

https://learn.microsoft.com/en-us/answers/questions/1692319/azure-loadbalancer-failover-sessions-not-handed-ov

3 replies

Gallego
Staff
Gallego
Staff
September 30, 2024

Hi RJ1,

 

Session sync is usually used in auto-scaling deployments or in active-active. You can check more details here https://docs.fortinet.com/document/fortigate-public-cloud/7.6.0/azure-administration-guide/917631/configuring-fgsp-session-sync

JohnMcdo
Staff
JohnMcdo
Staff
September 30, 2024

Hi SJ,

 

Yes

 

Session sync is enabled by default when an HA A/P FortiGate pair is deployed using the Azure Markeplace or Fortinet Github Azure templates, https://github.com/fortinet/azure-templates/blob/main/FortiGate/Active-Passive-ELB-ILB/doc/config-provisioning.md

 

In the link above you'll see config sections for FortiGate A and FortiGate B, each FortiGate has a section for config system ha, similar to this


config system ha   set group-name AzureHA   set mode a-p   set hbdev port3 100   set session-pickup enable   set session-pickup-connectionless enable   set ha-mgmt-status enable   config ha-mgmt-interfaces     edit 1       set interface port4       set gateway 172.16.136.193     next   end   set override disable   set priority 255   set unicast-hb enable   set unicas

 Hope this helps.

    RJ1
    RJ1Author
    Explorer II
    October 1, 2024

    Thanks for your answer ,when I initiated RDP connection from my machine to one of the server behind Firewall then I can see session on both Firewalls (A/P). When I check session table for both virtual appliances (FW) , I can see how RDP session can be found on both, which means that sessions are being properly sync between both nodes.

    JoerVan
    Staff
    JoerVan
    Staff
    October 1, 2024

    Hi RJ1,

     

    As you are using the Azure Load Balancer (external and internal), make sure to review the behavior when a back-end server (FGT in this case) fails.

     

    https://learn.microsoft.com/en-us/azure/load-balancer/components#health-probes

     

    Joeri

      avinash_v
      Staff
      avinash_vAnswer
      Staff
      October 8, 2024

      This is a known issue for the Azure load balancer. Even though a health probe failed, it will not re-route the existing sessions.
      This is by design, intended to offer the administrator the opportunity to gracefully shutdown from the application to avoid any unexpected and sudden termination of ongoing application workflow.

       

      https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-creates-a-new-session-on-a/ta-p/327740

       

      https://learn.microsoft.com/en-us/answers/questions/1692319/azure-loadbalancer-failover-sessions-not-handed-ov

        RJ1
        RJ1Author
        Explorer II
        October 8, 2024

        The article (ID- 327740) shared by you explains for Active-Active cluster, does this also applies for Active-Passive also?

        avinash_v
        Staff
        avinash_v
        Staff
        October 8, 2024

        applies to both, active-active and active-passive

          Terms & ConditionsCookie settingsAccessibility statement