- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FG Session Failover not working
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 09-21-2007 05:44 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FG Session Failover not working
Hello everyone,
I' ve been working on setting up my FG 1000A Active-Passive cluster for the past 2 weeks. The cluster works fine as it is failing fine on the slave but Session Pick-Up during Failover does not work completely. A ticket was opened with support but they are unable to reproduce the problem so I give a shot to the Forums.
The Setup:
- 2x FG1000A connected to a Dell PowerConnect 6224 Switch (Internal and External ports are connected to it). The switch is configured as a layer-2 device although it is a Layer-3 capable device.
- Running 3.00 MR4-Patch2
- FG1 has higher priority (250) so it becomes Master when it is in the cluster
- FG2 has default priority (128) so it becomes Slave when it is in the cluster where a Master is available.
- Session pick-up is configured.
- Port4 is Heartbeat and connected with a cross-over cable
- Port6 is External network (Internet) and monitored by HA
- Port7 is Internal network and monitored by HA
- Port8 is used for management on a different subnet
- Web server running IIS connected to Internal network is providing a link to a web page to download a big file (600MB)
- Firewall policy configured with a VIP to permit HTTP access to the Web server.
The problem:
1. When we start the download of the file through the Web server and disconnect the cable from Port6 of FG1 (acting as Master), it takes 6 seconds for the failover to occur and the session is not picked up by FG2 (acting as Slave). We lose around 12 PINGs to the cluster. So the download stops. We can reconnect and restart the download but this is not Session Failover.
2. Now the interesting part. If we restart the download of the file and we reconnect the cable from Port6 of FG1 (being Slave), the cluster reconfigures itself to have FG1 come back as Master and FG2 as Slave. There' s no PING lost and the download continues...
We' ve done:
- Full factory reset for both units and rebuilt the config from scratch.
- reproduce the problem with 2 different brand of switches
- Change the ports configured on the FG units (i.e. External from Port1 to Port6, etc)
- Were at MR5 and tried MR4-Patch2 and Factory Reset the units again
- I confirm the MAC Address Table is updated properly on the switches
- I confirm that both units have a synced configuration.
Has anybody noticed anything similar?
Regards,
Sylvain
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The failover time seems ok to me. We also experience a " stop" for about 4-6 seconds. But than tcp sessions will continue.
I know that " AV scanned sessions" are not replicated to the AH slave. So if you enable a protection profile for that FTP to scan for AV it likely won' t work.
It' s only IPSec-VPN and " regular" tcp traffic that is mirrored to the A-P slave.
For me it seems that also in MR5 they did some changes in regards to HA. I found out in my lab that the slave doesn' t need to restart when forming a cluster.
So your findings may also be related to a specifiy OS Version.
-R.
---------quote------------------------
The problem:
1. When we start the download of the file through the Web server and disconnect the cable from Port6 of FG1 (acting as Master), it takes 6 seconds for the failover to occur and the session is not picked up by FG2 (acting as Slave). We lose around 12 PINGs to the cluster. So the download stops. We can reconnect and restart the download but this is not Session Failover.
2. Now the interesting part. If we restart the download of the file and we reconnect the cable from Port6 of FG1 (being Slave), the cluster reconfigures itself to have FG1 come back as Master and FG2 as Slave. There' s no PING lost and the download continues...
Not applicable
Created on 09-25-2007 10:35 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Red,
I finally have the details and hope it may help someone in the future.
Keith Li from Tech Support finally found the solution which did not come from Fortigate. In fact, my Windows server has a registry key configured Not to restransmit TCP packets after 3 attempts. Since the Fortigate failover takes about 6 seconds when it detects a Link failure, the server stopped processing TCP Retransmits so the download failed.
This registry key is used to prevent Denial of Service on Windows Hosts. All our Windows servers have this value set to 3 although the default value is 5 attempts. When we put back the Default value, the failover works properly. This value is changed when you use Microsoft High Security Templates to secure your Windows hosts which we do.
For the explanation as to why the fail-back from the Slave to original Master does not cause the problem is a difference in HA code. Fail-back usually takes a shorter time than failover. Because during fail-back, your original master unit didn' t abruptly stop passing traffic. So the process would occur a lot more smoothly than a failover.
I hope those insights will help someone in the future. Thanks to Keith Li from Fortigate Tech Support as well for his assistance.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Fortigate 90G firmware Bugs 49 Views
- Unable to route public IP into... 95 Views
- Strange routing issue for PPPoE interface... 276 Views
- FortiManager serial number change 237 Views
- How to define Gateway on WAN... 482 Views
Labels
-
FortiGate
7,159 -
FortiClient
1,412 -
5.2
801 -
5.4
639 -
FortiManager
619 -
FortiAnalyzer
456 -
6.0
416 -
FortiAP
376 -
FortiSwitch
373 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
FortiNAC
128 -
6.4
128 -
FortiGuard
115 -
IPsec
107 -
SSL-VPN
103 -
FortiGateCloud
97 -
FortiSIEM
93 -
FortiCloud Products
89 -
FortiToken
76 -
Customer Service
71 -
Wireless Controller
65 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
48 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
39 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiSandbox
34 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
FortiPortal
18 -
LDAP
18 -
Interface
18 -
FortiSwitch v6.2
17 -
Routing
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
FortiCASB
12 -
Application control
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
SSL SSH inspection
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiAP profile
7 -
SNMP
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
Automation
6 -
IPS signature
5 -
Packet capture
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
Fortinet Engage Partner Program
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1062 | |
| 889 | |
| 527 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.