Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
knerd90
New Contributor

Fortigate 6.2 SD-WAN Application session breaks

Hi we have been running a couple of sites using FortiGate sd-wan in a hub-spoke topology. We randomly get complaints from users about application sessions being kicked out users has to restart the application (web,erp). I see there is often sdwan member changes in the logs such as the attached. My question when the link does meet the success criteria of a specific sla and it is moved out of the sd-wanr rule . what happens to the existing sessions that were running on the link is it going to time out will it be dropped by fortigate. I tested this out some months ago, I noticed an ICMP packet recovered but a rdp session would get stuck if the link failed and even if the other link is ready to take the session.

 

 

 

1 Solution
Jirka1
Contributor III

Hi,

I had the same problem. Because by default will cause the difference between the measured values to exceed 10%. So try setting this value to a higher number… like 50%.

 

virtual-wan-link config system   Config health-check    config service     edit xxx     set link-cost-threshold 10 /// change to 50    next    end end

 

Set SD WAN rules where traffic is generated. So if the traffic goes only from the branches to the HQ and not vice versa then it is unnecessary to set it at the HQ. Because FortiGate is a state firewall and writes interfaces to the session table where the traffic comes from, the return traffic also leaves the same interface and there is no asymmetric routing.

 

Jirka

View solution in original post

2 REPLIES 2
Jirka1
Contributor III

Hi,

I had the same problem. Because by default will cause the difference between the measured values to exceed 10%. So try setting this value to a higher number… like 50%.

 

virtual-wan-link config system   Config health-check    config service     edit xxx     set link-cost-threshold 10 /// change to 50    next    end end

 

Set SD WAN rules where traffic is generated. So if the traffic goes only from the branches to the HQ and not vice versa then it is unnecessary to set it at the HQ. Because FortiGate is a state firewall and writes interfaces to the session table where the traffic comes from, the return traffic also leaves the same interface and there is no asymmetric routing.

 

Jirka

knerd90
New Contributor

Thanks will give it it a try, but my question regarding the active session when a link moves out of sla what happens to the session on the link that is now out of sla?