Background:

When FGSP uses an L3 link to synchronize the sessions, each FGSP member must use the remote FGSP member IP as peer IP as shown below: 

config system cluster-sync

edit 1

set peerip X.X.X.X <- X.X.X.X is the remote FGSP member.  

In some cases where the routing table has ECMP routes in the routing table for the peerip address, the source IP of the FGSP packet is based on the routing decision and may not match what is defined in the remote FGSP as peerip. In this case, the receiving side will ignore the packets.  

Run the debug command below to confirm the cause of the issue. If the aforementioned scenario is the cause, the results will display 'Y.Y.Y.Y is not declared', where Y.Y.Y.Y is the source IP used based on the routing decision.  

diagnose debug application sessionsync -1 

Workaround:

To fix this issue, it is necessary to add all possible source addresses as peerip. For example, if the remote FGSP peer has two routes to the local peerIP, it is necessary to add two peerIPs in the cluster sync configuration.

config system cluster-sync 

edit 1 

set peerip Z.Z.Z.Z <- The first possible source IP.

next 

edit 2 

set peerip K.K.K.K <- The second possible source IP.

Note:

Starting from v7.0.1 and v7.2.1 and higher versions syntax has been changed to: 'config system standalone-cluster'.

    config cluster-peer
        edit 1
             set peerip X.X.X.X <----- X.X.X.X is the remote FGSP member. 
         next
     end
set standalone-group-id 1
set group-member-id 1
end