Skip to main content
Dim21
Dim21
New Member
February 17, 2026
Question

Fortinet Azure Active-Active Topology

  • February 17, 2026
  • 3 replies
  • 197 views

Hello 

 

Recently, we've been assigned for a PoC for one of our customers which is i financial institution. 

We've setup a hub & spoke topology with 2 Fortinet VMs in Active-Active scenario and External & Internal Load Balancers.

Our main concern and issue is when for example vm01 on spoke01 vnet communicates with vm01 on spoke02 via fgt-1 and i perform a reboot on this specific firewall the RDP or SSH session is lost. 
Is there any solution or workaround where in situations like these the TCP sessions are smoothly transferred on the next fortinet ?

Regards

3 replies

AEK
SuperUser
AEK
SuperUser
February 17, 2026

Hi Dim

Did you configure session pickup in the HA config?

AEK
Dim21
Dim21Author
New Member
February 17, 2026

Hello @AEK 

I've configured 

set session-pickup enable

Dim21
Dim21Author
New Member
February 17, 2026

Hello,

 

fyi this is the config

config system ha
set session-pickup enable
set session-pickup-connectionless enable
set session-pickup-nat enable
set session-pickup-expectation enable
set override disable
end
Also for east-west traffic we do not perform any s-nat on the firewalls port2 interface.

Regards

 

AEK
SuperUser
AEK
SuperUser
March 2, 2026

Hello

There "may" be some limitations in A-A mode compared to A-P mode when it comes to failover.

As part of troubleshooting (and exploration), temporary change the related firewall policy and unset all security profiles in it, and also use flow based instead of proxy based inspection, then check if the failover preserves the RDP and SSH sessions.

This is just for testing, you can then rollback the change once testes.

AEK
Terms & ConditionsAccessibility statement