Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ellocodelacommencal
New Contributor

When the dynamic route changes, sessions are kept on the wrong interface.

Hi there!

 

We have version 6.4.5 installed on our FWG100F.

 

I have configured a dynamic routing through BGP and using a performance SLA to our DataCenter by 2 ways, (optical fibre and IPsec tunnel).

When the Fibre (main) goes down, the secondary route "tunnel Ipsec" is up correctly, but when the main line recovers, the Firewall keeps the old sessions, going out through the wrong interface (standby) and does not work correctly.

 

Researching I have read that this can be solved for NAT connections by enabling "snat-route-change", but in our case the sessions are not with NAT, being internal communication. We have tested it and it works, but obviously we can't use it since it is internal communication and we always need to be able to see the origin of the communications.

 

Someone knows what could be going on? I've read that others don't have the same problem for IPsec sessions with SLA performance without NAT.

I appreciate any advice!

 

7 REPLIES 7
Anonymous
Not applicable

Hello,

 

Can you confirm if you have also confirmed SDWAN ?

ellocodelacommencal

Hello! Thanks for your reply.

Yes I'm using SD-wan with the interface of the Main circuit participating performance SLA. 

When it goes down, the standby circuit rise up correctly, but when it bring up, the routes go to the main circuit, but the sessions are still running through the standby interface and does not work.

xuda
New Contributor

I have similar issue with you, in my scenario I have a fiber as primary line and IPSec as backup, both of them establish a BGP peer to advertise routes.

 

During failover some session will down and here is some debug outputs, common reasons are RPF check fail and no active session on FortiGate ( FG 200F , V7.2.1 )

 

And I find this tcp-session-without-syn option in policy, I think it may work well, I have test for serval times, Not sure if this is a elegant solution, I'm waiting for my local support respond, just put it here ahead.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enable-tcp-session-without-syn-in-firewall...

aionescu
Staff
Staff

Hi @ellocodelacommencal , 

 

This is a pretty old topic but, since it was brought again to our attention, on top of what was already shared, can you check if "preserve session route" is set to enabled, on the interface.  

More info available at Handbook | FortiGate / FortiOS 6.0.0 | Fortinet Documentation Library

xuda
New Contributor

Hi @aahmadzada ,

 

Thanks, but in my environment I don't have any NAT config since our network is a flat fabric. 2 sites connected by the Fiber leased line OR IPSec, all traffic is L3 routing without NAT.

So the problem I faced here is when the BGP is down, all sessions will broken and my users can feel it ( which is not great for me ).

 

And Hi @aionescu  I tried this preserve-session-route option as well, but it doesn't help me.
From debug flow I can see the complain "RPF fail" and "no session".

RPF I think is because 2 sides BGP convergence time is not equal, and "no session" TAC told me because traffic arrived before routing change, so the session is not "dirty" at that time so FGT marked these traffic "no session".

 

I don't know if I'm right but I enabled TCP session without SYN looks good now.

Toshi_Esumi
Esteemed Contributor II

I'm assuming both sides are advertising/learning the same routes to/from the other end on both circuits with eBGP. Then I would set the local preference on the primary learned routes higher than secondary. Then when the primary BGP comes back up, almost instantaneously the primary routes would take over from the backup ones.

 

Toshi