Description
This article describes how to know which session is in sync with a secondary FortiGate.
Scope
FortiGate.
Solution
It is assumed that an HA cluster of FortiGates is being used, and that session-pickup is enabled:
config sys ha
set session-pickup enable
end
The synced sessions have the 'synced' flag. The command 'diagnose system session list' can be used to see the sessions on the member, with the associated flags.
The number of sessions that are synced on each member can be seen by using the following:
diagnose system session list | grep synced -c
exec ha manage 1
diagnose system session list | grep syn_ses -c
- This number may differ because not all sessions are synced. By default, no session is synced.
- If session-pickup is enabled, only TCP and IPsec sessions are synced (with exceptions given in the 'Session failover not supported for all sessions' section of the 'FortiOS Handbook - High Availability').
- Fortinet FGSP (FortiGate Session Life Support Protocol) enables session synchronization between two FortiGate devices for seamless failover, primarily focusing on stateful protocols like TCP.
- Since ICMP and UDP are connectionless protocols, they are not synchronized by default because they do not establish persistent sessions, which could lead to connectivity disruptions during failover events.
- To ensure these protocols are also synchronized, administrators need to explicitly enable the synchronization of connectionless sessions within the FGSP configuration, thereby maintaining consistent network behavior and reducing potential downtime for applications relying on ICMP and UDP traffic.
