| Description | This article explains a possible root cause of FGSP's (FortiGate Session Life Support Protocol) asymmetric traffic drop due to session sync latency. |
| Scope | FortiOS. |
| Solution |
Background: With FGSP asymmetric traffic, including cases where the TCP 3-way handshake is split between two FGSP members. For example, if FGT-A receives TCP SYN from the internal Network and the TCP SYN/ACK arrives at FGT-B before the session from FGT-A is synchronized to FGT-B, FGT-B will drop by default.
The cause of this issue is that the sessions are not synchronized fast enough due to session link/route latency.
Troubleshooting: Sniffer, debug flow, and session list with filters to confirm the issue.
Important FGSP session state: Session creation, the FGSP member who receives the first packet will create the session and after the session is synchronized to the other FGSP member the first FGSP member will include a synced flag in the session state, and the other FGSP member will show syn_ses flag in the session state.
Debug flow: On the debug flow, if the session is not synchronized or not synchronized fast enough, it will display msg="no session matched" in the debug flow.
Solution: FGSP links are highly recommended to be fast and reliable, making the affected traffic symmetric. If it is not possible, configure FortiGate to allow TCP traffic even if the first TCP SYN packet is not seen by using the below command in the matching policy.
config system settings end
config firewall policy end
Note: It is important to mention that enabling TCP sessions without SYN on a firewall can also introduce security risks. Thus, this technique should only be used when it is necessary. |
