DescriptionThis article gives some redundancy solutions when using FGSP cluster and session sync.Solution
To configure FGSP cluster between two FortiGates units, turn on session synchronization with the following options:
# config system ha
set session-pickup enable
set session-pickup-connectionless enable
set session-pickup-expectation enable
set session-pickup-nat enable
end
Then, define the peer IP address with which to sync the session.
To provide redundancy of session synchronization, use the following configuration options:
1) Use an aggregate interface to do session sync. This provides physical redundancy.
2) Use BGP to receive the IP address of the peer. The peer can be received through multiple path.
3) Use multiple peerip which are routed over different physical interfaces.
The following example focuses on the third option:
# config system cluster-sync
edit 4
set peerip 10.57.4.137
set syncvd "root"
next
edit 6
set peerip 10.5.20.137
set syncvd "root"
next
end
With the above configuration, session sync will use peer IP 10.57.4.137. If the peer becomes unreachable, it will automatically use peer IP 10.5.20.137
To check which peer is used by default, use this command:
# diagnose test application sessionsync 1
HA is not enabled
sync context:
sync-enabled=0, sync-tcp=1, sync-redir=0, sync-nat=1
sync-other=1, sync-exp=1, standalone-sync=1, mtu=0
standalone-peers=2, default-peer=10.57.4.137 in vdom=0, kernel-filters=2
To check the list of peers used, use this command:
# diagnose test application sessionsync 3
peer 201: 0.0.0.0 in vsys_ha, ha=1, num-sync-vd=0
peer 202: 0.0.0.0 in vsys_ha, ha=1, num-sync-vd=0
peer 203: 0.0.0.0 in vsys_ha, ha=1, num-sync-vd=0
peer 204: 0.0.0.0 in vsys_ha, ha=1, num-sync-vd=0
peer 4: 10.57.4.137 in root, ha=0, num-sync-vd=1
peer 6: 10.5.20.137 in root, ha=0, num-sync-vd=1
failed retries of SESYNC_PACKET_T_QUERYALL: 20