Description
This article describes an example of a simple TCP 3-way-handshake in HA Active-Active cluster where packet distribution between the primary and secondary FortiGate occurs.
The diagram below illustrates the packet flow between the client and the server through 2 FortiGate devices in the cluster:
The diagram below illustrates the packet flow between the client and the server through 2 FortiGate devices in the cluster:
Scope
All supported versions of FortiOS.
Solution
Detailed sequence:
- A SYN sent to the primary Internal interface has an internal Virtual MAC address (V_MAC_Inter).
- SYN is redistributed to secondary Internal Interface. Source MAC is (Phy_MAC_inter) and Dest MAC is secondary Internal Physical MAC address ( Phy_MAC_Inter).
- SYN is forwarded from internal interface to External Interface to the external switch connected to the server.
- SYN/ACK sent from server to primary External interface.
- SYN/ACK redistributed to secondary (source MAC address is primary virtual MAC address (Phy_MAC_external) and destination MAC address is the secondary external physical MAC (Phy_MAC_Exter).
- SYN/ACK is forwarded from secondary External interface to Internal Interface toward internal switch to client.
- ACK is sent from client to primary Internal interface.
- ACK redistributed to secondary.
- ACK forwarded from internal interface to external interface toward external switch to server.
- TCP 3 way hand-shake completes.
Note: The client and server do not know about the existence of the secondary FortiGate.
The ARP table of both devices point to the Virtual MAC address: internal and external, respectively.
In the event of a failover, FGT2 becomes the primary and will broadcast its VMAC address out to the Switches 1 and 2, which will update their MAC forwarding table. ARP entries on both client and server remain the same.
Related document:
NAT mode A-A packet flow - FortiGate 6.0.0 documentation.
