We have two FGCP clusters and FGSP between them. FGCP clusters are georaphically spaced and RTT between them around 40-50 ms. Session sync is configured over L3 link between FGCP clusters.
We have configured pickup sessions(also expectation and connectionless).
1st FGCP cluster:
config system ha set group-name "cluster 01" set mode a-p set session-pickup enable set session-pickup-connectionless enable set session-pickup-expectation enable set ha-mgmt-status enable set override disable
config system standalone-cluster set standalone-group-id 1 set group-member-id 1 config cluster-peer edit 1 set peerip x.x.x.x
config system ha set group-name "cluster 02" set mode a-p set session-pickup enable set session-pickup-connectionless enable set session-pickup-expectation enable set ha-mgmt-status enable set override disable
config system standalone-cluster set standalone-group-id 1 set group-member-id 2 config cluster-peer edit 1 set peerip y.y.y.y
When traffic symmetrical we have no problem. Symmetrical traffic mean that traffic came out from and came back to the same FGCP cluster (for example 1st FGSP cluster).
But when traffic asymmetrical we have problem: using icmp as an example we have lost first or two packets. Using TCP we have long connection, for example, to smtp services. Using UDP, for example, DNS server sometimes has timeout error. Asymmetrical traffic mean that traffic came out from one FGCP cluster and came back to another FGCP cluster (for example came out from 1st FGSP cluster and came back to 2nd FGSP cluster). So, we have this problem with both TCP and UDP.
For now we have following investigation results:
1) This problem is not related to traffic inspection and observed on both type of rules: with traffic inspection and without traffic inspection.
2) We don't observe this problem when traffic just go through FGCP clusters without NAT.
3) We don't observe this problem when traffic symmetrical.
4) Session synchronization occurs instantly with first packet on one of the FGCP cluster.
So, I suppose problem with NAT. But actually how can I debug this? Maybe some tuning options exist? Has someone encountered such a problem?
For now I have done traffic dump on path from host to internet through one FGCP cluster and back tracffic from internet to host throught another FGCP cluster.
I've seen packet came out from one site: FGCP cluster > border routers
and came back to another site: border routers > another FGCP cluster. I have seen packet in debug flow in another FGCP cluster. I don't know where I should dig futher ( Maybe back packet is silently dropped by Fortigate, but I can't find debug for this situation.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.