Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
maxiboom
New Contributor III

Address on loopback interface as a peer ip in FGSP protocol and speed of sync session

Hello everyone,

 

Fortigate 200E

FortiOS: 7.0.9

I have two FGCP clusters and FGSP beetwen it.

 

I have some questions:

1) Is it possible to use loopback interface and address on it as a peer ip on FGSP? When I use address on loopback interface as a peer ip session syncronization doesn't work, but when I change peer ip and use address on some connected interface  session syncronization begin to work. For loopback I have created firewall policy, but it doesn't help.

 

2) Are there ways to speed up session sync process? I have 9k session and it's can take for 3-5 minutes.

1 Solution
gfleming

There's no way. You have to use physical interface.

 

You will see the errors if you turn on debugging and do "diag debug application sessionsync -1"

Cheers,
Graham

View solution in original post

8 REPLIES 8
gfleming
Staff
Staff

For the loopback connectivity have you confirmed you have routing enabled as well to reach the loopback interfaces?

 

It might not speed things up dramatically but using a dedicated physical Session synchronization link might help. This will use L2 instead of L3 and will be offloaded to the kernel. https://docs.fortinet.com/document/fortigate/7.0.9/administration-guide/851897/session-synchronizati...

 

Some other reading: https://docs.fortinet.com/document/fortigate/7.0.9/administration-guide/18108/optimizing-fgsp-sessio...

Cheers,
Graham
maxiboom
New Contributor III

Sure, I have connectivity, but it doesn't work. I have seen session sync it tcpdump, but when I use  "diag test application sessionsync 6" it shows that peer is dead. On connected interface I haven't observed this.

In our topology we can use only L3 link.

gfleming

do you see session sync in tcpdummp on the remote end or on the local end?

Cheers,
Graham
maxiboom
New Contributor III

I've seen it on remote side and I have connectivity between addresses for session sync. It seems that sessions just haven't installed.

gfleming

can you post output of:

 

show sys ha
get sys ha status

diagnose sys session sync
Cheers,
Graham
gfleming

I tested this in my lab and I dont think it will work since the session sync will be sourced from the outgoing interface, not the loopback interface. I received errors on the remote fortigate that the peer ip was not configured. The peer ip in question was the outgoing interface IP, not the loopback IP.

Cheers,
Graham
maxiboom
New Contributor III

Yes, sync is sourced from the outgoing interface, not from loopback. I thought about it, but I haven't found logs with errors. I have connectivity exactly between loopback interfaces, but how use it as a source in the session sync I haven't found.

gfleming

There's no way. You have to use physical interface.

 

You will see the errors if you turn on debugging and do "diag debug application sessionsync -1"

Cheers,
Graham
Top Kudoed Authors