New Member

Solved

SD-WAN load balancing breaks sessions

Forum|Forum|2 years ago
November 22, 2023
3 replies
8190 views

Hi,

we use a FortiGate 7.4.1 with two independent ISP Connections.

With hundreds of Students surfing, our bandwith runs very often into limitations.

To priorize the various traffic i have tried SD-WAN Rules to one or another ISP Line.

If i simply try to spread traffic between the two interfaces by "Best Quality" or "Lowest cost (SLA)" both ways work fine by directing new traffic to the interface with the best SLA.

The problem is, Sessions are interrupted when a switch between the interfaces occours.

I already tried the option "preserve-session-route enable" on our WAN Interfaces but this didn't change anything.

Any help appreciated.

Best answer by xshkurti

@bibnet

You can try a couple of settings here.

1. Enable aux sessions

config system settings

set auxillary-session enable

end

2. change firewall policy to not reevaluate sessions after a route change

config system settings

set firewall-session-dirty check-new

end

Please try one of the above, or both of them and test.

Regards,

xshkurtiAnswer

Staff

@bibnet

You can try a couple of settings here.

1. Enable aux sessions

config system settings

set auxillary-session enable

end

2. change firewall policy to not reevaluate sessions after a route change

config system settings

set firewall-session-dirty check-new

end

Please try one of the above, or both of them and test.

Regards,

saneeshpv_FTNT

Staff

Hi @bibnet

In addition to what @xshkurti mentioned you need to see is SNAT is performed on the Interface level for each ISP on the FortiGate Firewall or not

If SNAT is in use, session fail over between Internet accesses is possible only if the same “public IP-range” is used to NAT traffic via all ISPs (BGP/dynamic routing peering needed).

https://community.fortinet.com/t5/FortiGate/Technical-Note-Routing-Change-and-Session-Fail-over-with-SD-WAN/ta-p/198076

Regards,

bibnetAuthor

New Member

Hi @saneeshpv_FTNT

sorry for my limited knowledge..
What does SNAT on interface level mean?

Our Firewall is configured in NAT-Mode, on interface level i don't see an NATing option.

Any traffic outbound is NATed in the corresponding Policy.

sjoshi

Staff

Hi @bibnet,

You can also have a look in below article along with preserve-session-route enable settings

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-SNAT-route-change-to-update-existing-NAT/ta-p/198439

bibnetAuthor

New Member

Hi @sjoshi,

thanks for your tipp.

Currently my head is smoking and i try to understand all advices. ;)

The broken sessions were all outbound, none over IPSEC Tunnels between our Branch-Sites.

I don't know if this fits in for my problem.

sw2090

New Member

interesting. We encounter similar behaviour even in 7.0.x. It had not happened in 6.4.x.

Currently the only workarounds seem to be to not do load balancing at all (i.e. manual device selection) and just use it as fallback, or create an sdwan rule for affected sites that is set to manual device selection for those.

I've already hat tickets open with TAC but up to now there is neither a solution nor a fix for that,

However the thread mentions some options that not even TAC told me about. So I might give those a try.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded