Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ricyeunghk2003
New Contributor

Fortigate 601E - HA (A-P) session pickup failure when failover (v6.4.9)

Hi Gents,

 

we set up 2 fortigate 601E running in HA (A-P) mode, i.e FW01-Primary, FW02-Secondary. the system is configured in transparent mode, with one uplink and one downlink port. Both ports are set as monitor ports in HA settings. I expected in the scenario when hardware fault or link fault, failover will be triggered and session will be pickup automatically. We run multiple tests for HA features.

 

Observation #1: #When we reboot the FW01, FW02 becomes the primary and pickup the sessions. However, when FW01 was bootup, FW01 was taken over as primary but the sessions were lost. As long as I reboot the FW02, the sessions can then be recovered

 

Observation #2: the uplink ports (connected to a switch) is one of the monitor port for failover. When I shutdown the uplink port at switch side, the failover does work to FW02 as primary. However, when I turn on the uplink port, FW01 resume to primary role, while sessions are lost. I can only shutdown the 2nd uplink port connecting to FW02 or reboot FW02 to resume all the sessions.

 

Does anyone have suggestions to me ?

2 REPLIES 2
Anonymous
Not applicable

Hello @ricyeunghk2003   ,

 

Thank you for using the Community Forum.

 

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

   Fortinet Community Team.
 
Muhammad_Haiqal

Hi @ricyeunghk2003 ,

 

Observation 1: This can be expected behavior. On normal scenario, Unit1 and Unit2 is UP. session pickup is sync to Unit2. When Unit1 is loss, the session is loss. Please check if you enable session pickup.

Observation 2: Related to Observation 1.

Basically, transition between Unit1 to Unit2, mostly no issue because all session is catch by Unit2 while Unit1 is UP.

When Unit2 transition to Unit1, you may have session issue because, some session cannot be sync due to session is created before the Unit1 is up. This mostly happened to HTTPS traffic.

haiqal