Skip to main content
massive627
massive627
New Member
October 11, 2024
Solved

FGSP and VRRP routing issue

  • October 11, 2024
  • 1 reply
  • 2174 views

I'm testing FGSP and VRRP using foritgate VMs.  The topology is as follows:

 

 

FirewallA (VRRP Master)--------L2VPN--------FirewallB (VRRP Backup)

 

There are 3 servers:

Server A connects to Firewall A

Server B connects to Firewal B

Server C is in the VRRP domain and will reside in either Firewall

 

The issue I've observed is When Server C tries to connect to Server B, it fails and the debug flow shows a reverse check failure.  I am not sure why this is happening with FGSP enabled, as all other traffic syncs across fine.  However, Server B is able to connect to Server C.

 

When I make Firewall B the VRRP master server C can connect to Server B, but then loses access to Server A.  It seems like FGSP isn't synic traffic that's directly conncted to the Fortigates that is acting as VRRP backup.  All other transit traffic thats asymmetric FGSP handles it fine.

 

Best answer by massive627

Hi Atul,

 

Using policy route to direct traffic for Server B fixes the issue.  Using Policy route isn't ideal as I'd like the foritgate to use the BGP routes for resiliency.  is this particual issues resolved on newer firmware versions?

1 reply

Atul_S
Staff & Editor
Atul_S
Staff & Editor
October 11, 2024

Hi,

 

Since FGSP exclude UDP and ICMP (connectionless) session synchronization including expectation session, please use the below guides to help optimise FGSP:

 

https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/796662/fgsp-fortigate-session-life-support-protocol

 

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/018108/optimizing-fgsp-session-synchronization-and-redundancy

 

Check if configuring the policy route help in this situation. I agree with your suspicion that the directly connected host being local and its associated sessions are not synced across in this situation.

 

Thanks,

massive627
massive627Author
New Member
October 11, 2024

Hello,

 

Yes I have this enabled as well.  See config below.

 

FortiGate-VM64-KVM # show system ha
config system ha
set session-pickup enable
set session-pickup-connectionless enable
set session-pickup-expectation enable
set override disable
end

 

I will try policy route and see if that works.  As a test I enabled asym route and the servers started responding.  So bit strange FGSP isn't doing that. 

Terms & ConditionsAccessibility statement