Description
This article explains possible redundancy solutions for use with FGSP cluster and session sync.
Scope
Any supported version of FortiGate.
Solution
To configure an FGSP cluster between two FortiGates units, turn on session synchronization with the following configuration:
# config system ha
set session-pickup enable
set session-pickup-connectionless enable
set session-pickup-expectation enable
set session-pickup-nat enable
end
Next, define the peer IP address with which to sync the session.
To provide redundancy of session synchronization, use the following configuration options:
1) Use an aggregate interface to do session sync. This provides physical redundancy.
2) Use BGP to receive the IP address of the peer. The peer can be received through multiple path.
3) Use multiple peerip which are routed over different physical interfaces.
The following example focuses on the third option:
1) Use an aggregate interface to do session sync. This provides physical redundancy.
2) Use BGP to receive the IP address of the peer. The peer can be received through multiple path.
3) Use multiple peerip which are routed over different physical interfaces.
The following example focuses on the third option:
# config system cluster-sync
edit 4
set peerip 10.57.4.137
set syncvd "root"
next
edit 6
set peerip 10.5.20.137
set syncvd "root"
next
end
With the configuration above, session sync will use peer IP 10.57.4.137. If the peer becomes unreachable, it will automatically use peer IP 10.5.20.137.
To check which peer is used by default, run the following command (example output is attached):
To check which peer is used by default, run the following command (example output is attached):
# diagnose test application sessionsync 1
HA is not enabled
sync context:
sync-enabled=0, sync-tcp=1, sync-redir=0, sync-nat=1
sync-other=1, sync-exp=1, standalone-sync=1, mtu=0
standalone-peers=2, default-peer=10.57.4.137 in vdom=0, kernel-filters=2
HA is not enabled
sync context:
sync-enabled=0, sync-tcp=1, sync-redir=0, sync-nat=1
sync-other=1, sync-exp=1, standalone-sync=1, mtu=0
standalone-peers=2, default-peer=10.57.4.137 in vdom=0, kernel-filters=2
To check the list of peers used, use this command:
# diagnose test application sessionsync 3
peer 201: 0.0.0.0 in vsys_ha, ha=1, num-sync-vd=0
peer 202: 0.0.0.0 in vsys_ha, ha=1, num-sync-vd=0
peer 203: 0.0.0.0 in vsys_ha, ha=1, num-sync-vd=0
peer 204: 0.0.0.0 in vsys_ha, ha=1, num-sync-vd=0
peer 4: 10.57.4.137 in root, ha=0, num-sync-vd=1
peer 6: 10.5.20.137 in root, ha=0, num-sync-vd=1
failed retries of SESYNC_PACKET_T_QUERYALL: 20
Starting FortiOS 6.4.10 group-member-id is introduced to identify peers members. This value must be unique in every cluster members or following error message will appear:
# diagnose debug application sessionsync -1
[pid-567 standalone_process_heartbeat()-424] Duplicated member-id from peer 10.64.116.26 is detected! Please configure different member-id for each peer.
Refer to the following community article for more information:
