|
If the HA cluster is configured via the Fortinet automation code or the Administration Guide, the 'session-pickup-connectionless' might be enabled.
This configuration causes the cluster units to synchronize UDP and ICMP sessions so if a failover happens this traffic will be maintained.
For more details, see the following Admin Guide:
Session pickup | FortiGate / FortiOS 7.6.0 | Fortinet Document Library
If having an Active-Passive HA cluster with a Load Balancer sandwich and also having one or more IPSec tunnels and a failover occurs, the traffic through the tunnels will be dropped and will notbe taken over by the new primary FortiGate.
To fix that, disable the 'session-pickup-connectionless'. The IPSec tunnel will be restarted after the failover and the tunnel traffic will be processed by the new primary node:
config system ha
set session-pickup-connectionless disable
end
Related documents:
Session pickup | FortiGate / FortiOS 7.6.0 | Fortinet Document Library
HA for FortiGate-VM on Azure | FortiGate Public Cloud 7.6.0 | Fortinet Document Library
How to fix the failover issue when there ... - Fortinet Community
VIP Configuration on the FortiGate VM Act... - Fortinet Community
Configure SDN Connector for Active-Passiv... - Fortinet Community
|
