Valued Contributor

Solved

diagnose sys ha session-sync-dev output unexpected

Forum|Forum|1 year ago
November 4, 2024
4 replies
3024 views

In a FGCP cluster trying to get session sync traffic over the dedicated interface with the set session-sync-dev command. But the corresponding diagnose output seems to indicate it doesn't work.

fgt1 (root) # diagnose sys ha session-sync-dev
HA sessync ports: 1
dmz probe: HA probe, Standalone connected, peer_mac = 00:00:00:00:00:00
HB pkts: rx=0, tx=508298
SES pkts: rx=0, tx=0

Seems to indicate HB packets are send, but none received. Also the status remains probe for HA.

The cluster is connect with a direct cable, no switch in between or such.Tried with other interfaces also, wan1, internal4, ...

Anyone has this working and different command (diagnose sys ha session-sync-dev) output? What are your counters and status?

Best answer by boneyard

In the end it seemed to be a FortiGate 60E issue, it worked fine on other models with an output like below.

diagnose sys ha session-sync-dev  HA sessync ports: 2 <portX> probe: HA connected, Standalone probe, peer_mac = 00:00:00:00:00:00         HB pkts: rx=55, tx=57         SES pkts: rx=0, tx=0  <portY> probe: HA connected, Standalone probe, peer_mac = 00:00:00:00:00:00         HB pkts: rx=57, tx=56         SES pkts: rx=0, tx=1

salemneaz

Staff

Hi,

You are saying the hatalk is not working, hatalk is the one responsible for the heartbeat. Please check the crashlog "di de crashlog read" to see if the demon is failing. You can restart the process by using the command "fnsysctl killall hatalk". Run the following debug on both the Firewall to see the process

diag debug hatalk -1

diag debug console timestamp en

diag debug enable

To stop the debug use the command given below;

diag debug disable

diag debug reset

Article Reference:

---------------------------------------

https://community.fortinet.com/t5/FortiClient/Technical-Tip-Collecting-information-for-HA-issues/ta-p/193683

salemneaz

Staff

Article Related to Session Sync;

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FGSP-Configuration-Guide-for-Session-Sync-and/ta-p/197561

boneyardAuthor

Valued Contributor

That is FGSP related, I'm asking about FGCP.

salemneaz

Staff

..

salemneaz

Staff

Use the following configuration to create a data interface LAG. The members of the LAG can be any data interfaces that can be added to LAGs as supported by your FortiGate model.

config system interface

edit HA-session-lag

set type aggregate

set member port13 port14 port15 port16

set lacp-mode static

end

Note:

-------------------

You can only use a static mode LAG as the hardware session synchronization interface (lacp-mode must be set to static).

Use the following command to set the LAG as the FGCP HA hardware session synchronization interface.

config system ha

set session-pickup enable

set hw-session-sync-dev HA-session-lag

end

See if this solves your problem;

https://docs.fortinet.com/document/fortigate/7.6.0/hyperscale-firewall-guide/232377

boneyardAuthor

Valued Contributor

Thank you.

First time I have seen the hw-session-sync-dev mentioned.It seems a hyper scale firewall feature and this system isn't licensed for that. The options doesn't exist in system ha settings.

boneyardAuthorAnswer

Valued Contributor

In the end it seemed to be a FortiGate 60E issue, it worked fine on other models with an output like below.

diagnose sys ha session-sync-dev  HA sessync ports: 2 <portX> probe: HA connected, Standalone probe, peer_mac = 00:00:00:00:00:00         HB pkts: rx=55, tx=57         SES pkts: rx=0, tx=0  <portY> probe: HA connected, Standalone probe, peer_mac = 00:00:00:00:00:00         HB pkts: rx=57, tx=56         SES pkts: rx=0, tx=1

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded