Hello everyone,
Fortigate 200E
FortiOS: 7.0.9
I have two FGCP clusters and FGSP beetwen it.
I have some questions:
1) Is it possible to use loopback interface and address on it as a peer ip on FGSP? When I use address on loopback interface as a peer ip session syncronization doesn't work, but when I change peer ip and use address on some connected interface session syncronization begin to work. For loopback I have created firewall policy, but it doesn't help.
2) Are there ways to speed up session sync process? I have 9k session and it's can take for 3-5 minutes.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
There's no way. You have to use physical interface.
You will see the errors if you turn on debugging and do "diag debug application sessionsync -1"
For the loopback connectivity have you confirmed you have routing enabled as well to reach the loopback interfaces?
It might not speed things up dramatically but using a dedicated physical Session synchronization link might help. This will use L2 instead of L3 and will be offloaded to the kernel. https://docs.fortinet.com/document/fortigate/7.0.9/administration-guide/851897/session-synchronizati...
Some other reading: https://docs.fortinet.com/document/fortigate/7.0.9/administration-guide/18108/optimizing-fgsp-sessio...
Sure, I have connectivity, but it doesn't work. I have seen session sync it tcpdump, but when I use "diag test application sessionsync 6" it shows that peer is dead. On connected interface I haven't observed this.
In our topology we can use only L3 link.
do you see session sync in tcpdummp on the remote end or on the local end?
I've seen it on remote side and I have connectivity between addresses for session sync. It seems that sessions just haven't installed.
can you post output of:
show sys ha
get sys ha status
diagnose sys session sync
I tested this in my lab and I dont think it will work since the session sync will be sourced from the outgoing interface, not the loopback interface. I received errors on the remote fortigate that the peer ip was not configured. The peer ip in question was the outgoing interface IP, not the loopback IP.
Yes, sync is sourced from the outgoing interface, not from loopback. I thought about it, but I haven't found logs with errors. I have connectivity exactly between loopback interfaces, but how use it as a source in the session sync I haven't found.
There's no way. You have to use physical interface.
You will see the errors if you turn on debugging and do "diag debug application sessionsync -1"
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.