Description
This article describes how to resolve an issue where, when performing the ping test through the FortiGate slave unit, it is observed that the ping failed, and the debug flow is printing the message 'local-out traffic, blocked by HA'.
Scope
FortiGate.
Solution
- When attempting to perform a ping test from the slave unit, the ping failed.
execute ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1): 56 data bytes
sendto failed
sendto failed
sendto failed
sendto failed
sendto failed
- The debug flow prints the following message:
id=20085 trace_id=3628 func=print_pkt_detail line=5501 msg="vd-root received a packet(proto=1, 10.10.10.10:55136->10.10.10.1:2048) from local. type=8, code=0, id=55136, seq=0."
id=20085 trace_id=3628 func=init_ip_session_common line=5666 msg="allocate a new session-011b8e62"
id=20085 trace_id=3628 func=fw_local_out_handler line=825 msg="local-out traffic, blocked by HA"
The message 'local-out traffic, blocked by HA' will show up in a debug flow if the unit is trying to send (self-originated) traffic out from the HA slave unit.
This is actually by design or expected in the A-P scenario and in the scenario A-A.
The unsupported Sessions for A-A Load Balancing are:
- ICMP, multicast, and broadcast sessions are never load-balanced and are always processed by the primary unit.
- IPS, Application Control, flow-based virus scanning, flow-based web filtering, flow-based DLP, flow-based email filtering, VoIP, IM, P2P, IPsec VPN, SSL VPN, HTTP multiplexing, SSL offloading, WAN optimization, explicit web proxy, and WCCP sessions are also always processed only by the primary unit.
To resolve the issue, perform the ping test from the primary unit instead.
Related document:
HA failover session pickup - FortiGate handbook
