Description

This article describes the reason for a session containing both the synced and syn_ses flags.

Scope

FortiGate HA.

Solution

This is an expected behavior when either FGCP or FGSP is configured. In FGCP, the Primary and Secondary member roles change due to failover, thus, sessions can be synced in both directions, causing both flags to be there.

In FGSP, if the session expires on the peer that had originally synced the session, it can be re-synced from the other member, causing it to have both flags. 

session info: proto=6 proto_state=11 duration=1033252 expire=3593 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty ndr npu synced f00 syn_ses
statistic(bytes/packets/allow_err): org=1229996829/1159530/1 reply=29355254/398237/1 tuples=2
tx speed(Bps/kbps): 1624/12 rx speed(Bps/kbps): 40/0
orgin->sink: org pre->post, reply pre->post dev=42->43/43->42 gwy=101.126.74.67/101.126.74.68
hook=pre dir=org act=noop 179.123.159.99:41503->168.152.242.235:1416(0.0.0.0:0)
hook=post dir=reply act=noop 168.152.242.235:1416->179.123.159.99:41503(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=403 auth_info=0 chk_client_info=0 vd=0
serial=aeb23a5c tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x003c94 ips_offload ofld-O ofld-R
npu info: flag=0x81/0x81, offload=9/9, ips_offload=1/1, epid=47/47, ipid=178/178, vlan=0x002f/0x0030
vlifid=178/178, vtag_in=0x002f/0x0030 in_npu=3/3, out_npu=3/3, fwd_en=0/0, qid=17/22
total session 1