Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tana
Staff
Staff

Created on ‎11-15-2023 09:56 PM Edited on ‎03-25-2025 12:06 AM By Community Manager

Article Id 284550

Technical Tip: FGSP synced session not visible in other FGCP clusters

Description

This article discusses the problem when the session is not visible to other FGSP members:

 

On FGTA, the state of the session showed 'synced':

 

FGTA # diagnose sys session filter dst 23.50.89.168
FGTA # diagnose sys session list

session info: proto=6 proto_state=01 duration=118 expire=3590 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=1:0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty npu synced f00
statistic(bytes/packets/allow_err): org=112527/484/1 reply=778511/633/1 tuples=2
tx speed(Bps/kbps): 953/7 rx speed(Bps/kbps): 6594/52
orgin->sink: org pre->post, reply pre->post dev=11->59/59->11 gwy=103.1.138.218/0.0.0.0
hook=post dir=org act=snat 192.168.80.2:58630->23.50.89.168:443(103.1.139.137:58630)
hook=pre dir=reply act=dnat 23.50.89.168:443->103.1.139.137:58630(192.168.80.2:58630)
pos/(before,after) 0/(0,0), 0/(0,0)
dst_mac=xx:yy:zz:xx:yy:zz
misc=0 policy_id=10 pol_uuid_idx=24021 auth_info=0 chk_client_info=0 vd=0
serial=00007dfe tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x4000c00 ofld-O ofld-R
npu info: flag=0x81/0x81, offload=9/9, ips_offload=0/0, epid=183/130, ipid=130/183, vlan=0x0000/0x0320
vlifid=130/183, vtag_in=0x0000/0x0320 in_npu=1/2, out_npu=1/2, fwd_en=0/0, qid=9/1
total session 1


On FGTB, the same session is not found:

 

FGTB # diagnose sys session filter dst 23.50.89.168
FGTB # diagnose sys session list
total session 0


This is due to both FortiGates having different outgoing interface names, VLAN IDs, and interface indexes:

 

FGTA outgoing interface settings :

edit "VLAN-800"
    set vdom "root"
    set ip 10.10.80.1 255.255.255.252
    set allowaccess ping
    set device-identification enable
    set role wan
    set snmp-index 53
    set secondary-IP enable
    set interface "LAG-LACP-1"
    set vlanid 800
next
end

 

FGTB outgoing interface settings :

edit "VLAN-1800"
    set vdom "root"
    set ip 10.10.180.1 255.255.255.252
    set allowaccess ping
    set device-identification enable
    set role wan
    set snmp-index 53
    set interface "LAG-LACP-1"
    set vlanid 1800
next
end
Scope FortiGate v6.4 and v7.0.
Solution

Set the FGTB interface name to be the same as FGTA:

 

edit "VLAN-800"
    set vdom "root"
    set ip 10.10.180.1 255.255.255.252
    set allowaccess ping
    set device-identification enable
    set role wan
    set snmp-index 53
    set interface "LAG-LACP-1"
    set vlanid 1800
next
end

 

The names of the VDOMs and any VLANs and LAGs or other interfaces added must be the same on both clusters, even though network addresses will be different.


VLAN IDs can be different in each cluster as long as the names of the VLAN interfaces are the same.

Interface indexes (not the SNMP indexes) must be the same too, otherwise, sessions will not be synchronized properly.  Interface indexes can be checked by the command:

 

diagnose netlink interface list
Labels:
599
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.