- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- HA Session Pickup for BGP TCP 179
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HA Session Pickup for BGP TCP 179
hi,
i'm doing a failover test on FG 401F in HA with iBGP peer to two upstream router.
i noticed iBGP peers bounced when failover to secondary. i already had 'session pickup' enabled in HA setting.
the link below mentioned most TCP but none specific for BGP.
is there other setting needed to enable/configure so that BGP peering will remain up and don't tear down whenever there's an HA failover?
Thanks,
John
John
Thanks,John
Labels:
- Labels:
-
FortiGate
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Johnlloyd,
1) If the override is disabled on Fortigate Running in HA A-P mode, after the active FGT reboots and comes up, it will remain as current secondary, and traffic will be handled by the new active FGT.
2) A secondary FGT will take 1.2 seconds to understand that the primary FGT has failed. FortiGates assume the other FortiGate has failed if they don't receive a heartbeat packet from a cluster unit for six times 200 = 1200 milliseconds (1.2 seconds).
3) There is no synchronization of UDP and ICMP sessions by default. UDP and ICMP sessions will be down, so you can enable failover of UDP and ICMP sessions, kindly use the following command.
#config system ha
#set session-pickup-connectionless enable
#end
http://docs.fortinet.com/document/fortigate/6.0.0/handbook/595772/tcp-udp-icmp-and-multicast-session...
4) Since BGP daemon works only on master unit, the BGP peering sessions (port 179) will need to be re-established on slave unit after failover, while ICMP sessions will remain active on both new master and old slave until the peering is re-established on the new master.
5) fter failover all BGP routes (get router info routing-table bgp) will be removed on the old master and will be re-established once BGP peering is re-stablished again on the new master unit.
6) IPsec sessions with port 500 exist only on Master, after failover this session will be seen on both the new master and old slave unit until the BGP peering session (port 179) is established on new master unit, once the BGP
session is re-established on new master unit, the IPsec session with port 500 will be disappeared on old slave unit.
7) In order to minimize the route learning time, you can configure the following:
BGP: set the keep alive xx + holdtime timer xx
HA : config: set route-ttl 200
Enabling the "graceful restart" in the Spoke and HUB
8) For better detection of fallover, we can configure Llink monitors in HA.
9) In all collaboration, we can achieve a very quick failover, and the only time it takes for the slave to become a master is when the traffic is being affected.
REF: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Controlling-how-HA-synchronizes-routing-ta...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-FortiGate-HA-and-BGP-graceful-...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-HA-link-failed-signal-and-switch...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPSec-VPN-in-HA-Environment/ta-p/195849
https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-session-failover-session-pickup/ta-p/19...
Regards,
Vishal
Vishal
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
understood for BGP need to re-establish during failover.
seem FG doesn't retain S2S ipsec VPN not unlike the cisco ASA which is retained during failover.
Thanks,
John
John
Thanks,John
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think most of static ones won't drop. We have hundreds of them on clusters and a swap over sometimes happens without anybody noticing.
Toshi
Related Posts
- Oracle sessions randomly hanging behind fortigate 107 Views
- After upgrade to authenticator 6.5.4 issues... 78 Views
- FortiAuth Error - Accessing guest portal... 117 Views
- FortiClient Azure SSO VPN issues 126 Views
- Routing Issue on FortiGate 7.2.8 289 Views
Labels
-
FortiGate
6,535 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.