Address on loopback interface as a peer ip in FGSP protocol and speed of sync session

maxiboom · ‎12-27-2022

Hello everyone,

Fortigate 200E

FortiOS: 7.0.9

I have two FGCP clusters and FGSP beetwen it.

I have some questions:

1) Is it possible to use loopback interface and address on it as a peer ip on FGSP? When I use address on loopback interface as a peer ip session syncronization doesn't work, but when I change peer ip and use address on some connected interface session syncronization begin to work. For loopback I have created firewall policy, but it doesn't help.

2) Are there ways to speed up session sync process? I have 9k session and it's can take for 3-5 minutes.

gfleming · ‎01-05-2023

There's no way. You have to use physical interface.

You will see the errors if you turn on debugging and do "diag debug application sessionsync -1"

Cheers,
Graham

View solution in original post

gfleming · ‎12-29-2022

For the loopback connectivity have you confirmed you have routing enabled as well to reach the loopback interfaces?

It might not speed things up dramatically but using a dedicated physical Session synchronization link might help. This will use L2 instead of L3 and will be offloaded to the kernel. https://docs.fortinet.com/document/fortigate/7.0.9/administration-guide/851897/session-synchronizati...

Some other reading: https://docs.fortinet.com/document/fortigate/7.0.9/administration-guide/18108/optimizing-fgsp-sessio...

Cheers,
Graham

maxiboom · ‎12-30-2022

Sure, I have connectivity, but it doesn't work. I have seen session sync it tcpdump, but when I use "diag test application sessionsync 6" it shows that peer is dead. On connected interface I haven't observed this.

In our topology we can use only L3 link.

gfleming · ‎12-30-2022

do you see session sync in tcpdummp on the remote end or on the local end?

Cheers,
Graham

maxiboom · ‎01-02-2023

I've seen it on remote side and I have connectivity between addresses for session sync. It seems that sessions just haven't installed.

gfleming · ‎01-03-2023

can you post output of:

show sys ha
get sys ha status

diagnose sys session sync

Cheers,
Graham

gfleming · ‎01-04-2023

I tested this in my lab and I dont think it will work since the session sync will be sourced from the outgoing interface, not the loopback interface. I received errors on the remote fortigate that the peer ip was not configured. The peer ip in question was the outgoing interface IP, not the loopback IP.

Cheers,
Graham

maxiboom · ‎01-04-2023

Yes, sync is sourced from the outgoing interface, not from loopback. I thought about it, but I haven't found logs with errors. I have connectivity exactly between loopback interfaces, but how use it as a source in the session sync I haven't found.

gfleming · ‎01-05-2023

There's no way. You have to use physical interface.

You will see the errors if you turn on debugging and do "diag debug application sessionsync -1"

Cheers,
Graham

Address on loopback interface as a peer ip in FGSP protocol and speed of sync session

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website