FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 227845



This article explains TCP session failover behavior in an SD-WAN/ADVPN scenario with 2 HUBs. In this scenario, branches access resources from both HUBs.




FortiGate setups using TCP with SD-WAN.




In the topology below, the PC behind the branch initiates a TCP connection towards the Server using Port1. As it is the preferred member in the SD-WAN rule, Port1 connects to Hub1 through IPSEC tunnel.


Photo 1.JPG


A TCP session is created normally on the branch/Hub1.


If Port2 becomes the preferred port in the SD-WAN rule due to an SLA change for example, the branch starts to forward the packets for this TCP session using Port2, which connects to Hub2 through another IPSEC tunnel.


As Hub2 is a different FortiGate device with no prior knowledge of this session, it will drop this traffic after failover as the 1st packet is not a SYN packet, which is necessary to create a new TCP session.


This issue can be solved by disabling TCP SYN checking on the HUBs. After, the hub will not check if the 1st packet of a TCP session is an SYN packet. This will allow session creation if the Firewall policy is correctly configured to allow traffic.

To disable TCP SYN, enable the 'tcp-session-without-syn' option.


If another SLA change happens on the Branch and failover passes traffic to Port1 again while the old session on Hub1 has not timed out, Hub1 will drop traffic as it checks TCP sequence numbers. This occurs because packets do not have the correct TCP sequence due to passing through Hub2 previously.


This issue can be solved by disabling the 'anti-replay' setting on the firewall policy level. When 'anti-replay' is disabled, FortiGate does not check the sequence numbers of TCP packets. As a result, Hub1 will still accept the packets after the session is routed back to Hub1 from Hub2 in this example.


Both options discussed above must be configured on the firewall policy level. To access the 'tcp-session-without-syn' setting, first enable the setting in VDOM:


# config system settings

set tcp-session-without-syn enable



# config firewall policy

    edit <id>

        set anti-replay disable

    set tcp-session-without-syn all




Photo 3.JPG



In this dual hub topology, these options should be enabled on both hubs. Active TCP Sessions can be routed back and forth between both of them.

While the configuration in this example disables stateful firewall inspection for TCP traffic on both hubs, this does not present a security concern: both branches still perform stateful firewall inspection for TCP traffic.