Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

AZURE HA A/P with Internal LB : session needs to be restarted after failover

Hi all,


I'm currently deploying FGT cluster inside Azure (A/P with ELB/ILB) like the following


Inside Fortigate HUI, I can see session replicated to the slave (fortiview session).

When I perform a failover, the ILB doesn't seems to "redirected" existing sessions from the active to the slave, so session died and must be restarted.

New session can be initialised without any issue...

Like mentioned in the following document, I disabled session persistency (set to None)


I don't think it's an issue on the Fortigate. Is it the normal behaviour inside Azure ?


PS: It's seems to be the same with Palo Alto

Existing sessions need to be re-established.


Any idea ??






Hello sip-security, 


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 



Jean-Philippe - Fortinet Community Team



We are still looking for an answer to your question.


We will come back to you ASAP.




Jean-Philippe - Fortinet Community Team



You have an A-P High Availability solution with ELB/ILB.

External Azure Standard Load balancer is for communication with the internet

Internal Azure Standard load balancer to receive all internal traffic and forward it to its destination.

Normally, the Azure load balancer (LB) should be able to identify the master unit after an HA failover. 

The Azure LB handles traffic failover using a health probe towards the FortiGate-VMs based on the failover times defined.

As per the below document from Microsoft:-

"New TCP connections will succeed in remaining healthy backend endpoint.
If a backend endpoint's health probe fails, established TCP connections to this backend endpoint continue."

As per the below document on GitHub for config east-west-connections, there is a limitation:-

In case of failover, the Azure Load Balancer will send existing sessions to the failed VM as explained.

HA A-P with ELB/ILB will be a good option for a short failover time and HA A-P SDN connector will be a better option for session failover.

Supported configurations:-

As a general rule, it is important to deploy the FortiGate while following the guidelines recommended in official Fortinet documentation:

Fortinet cannot deny nor guarantee that any other unusual deployment can run correctly, but most variations are unlikely to be supported.




- Have you found a solution? Then give your helper a "Kudos" and mark the solution.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors