|
First, verify the HA configuration to ensure that TCP sessions are synchronized.
config system ha
set group-id 15
set group-name "FGT-dSN-AH1"
set mode a-p
set sync-packet-balance enable <- To distribute synchronization packets processing to multiple CPUs.
set session-sync-dev "port18" "port25" <- The feature to offload session synchronization processing to the kernel can optimize session synchronization for handling heavy loads.
set session-pickup enable
set priority 250
set monitor "port33" "port34"
end
Follow this article to understand session-pick-up: Technical Tip: HA session failover (session pickup).
Afterwards, run the following command to verify HA session statistics:
diag sys ha session-sync-dev
To confirm whether the sessions are in sync, run the following command to identify the session list on both firewalls:
di sys session filter proto 6
di sys session list | grep total
If sessions are not in sync, troubleshoot the following items.
To reduce the waiting time for TCP session expiration on the secondary unit, try changing the default session-ttl settings in all VDOMs to 5 minutes (300 seconds).
config system session-ttl
set default 300
end
Verify if the sessions are still in sync or not from both of the firewalls:
di sys session filter proto-6
di sys session list | grep total
If the session is not matching, run the following commands on the secondary node:
di sys session sync reset
execute sync-session
Wait for a few minutes and then verify the session list from both firewalls again.
|
