Hello,
When we have break internet to ISP1, all traffic is switched to ISP2. When the internet connected for ISP1 came back, some sessions stay on ISP2. We must clear session on Fortigate (sip connection don't work).
What can we do to clear the session table when changing the network?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Jan,
This is normal behavior. It would generally be undesirable to break a session just because another route became available. If it's SIP like you mentioned, any phone calls in progress would be dropped when you clear the sessions.
However, I have run into this as well where I want our SIP connections to consistently go out one ISP unless that one is not available. The problem is that ISP performs maintenance frequently and I would find that my connection had failed over to my other ISP the next day. My solution was to pick a time after their maintenance but before business hours and run a scheduled script to clear any of my SIP connections on the wrong ISP interface. This would run daily, and if no connections had failed over there would be nothing to clear, but if something had it would clear it and reconnect on the "right" ISP.
This won't do *exactly* what you want, because I don't think you can schedule the script based on an event like that, but you could run the script more frequently if you wanted it to catch the issue sooner. I just wouldn't recommend it because of it breaking active calls.
config system auto-script edit "clearSIPsessionsToISP1" set interval 86400 <-- 24 hours in seconds set repeat 0 set start auto set script "diagnose sys session filter clear diagnose sys session filter src x.x.x.x <-- IP redacted, but this is my voice gateway that initiates all SIP connections. You might be able to use a filter based on destination port for SIP (5060) to catch all connections diagnose sys session filter dint wan1 <-- the interface where the "wrong" ISP is connected diagnose sys session clear" next
end
- Daniel Hamilton
Thank you, Daniel
But I have Fortigate Os version 4, and auto-script function is unavailable
I guess no chance of upgrading due to hardware? Looks like auto-script was added in 5.4
5.4 and 5.6 have some amazing features if you can get to them...
If you have some way to script an SSH session to connect and run those commands you could still do it I think, but otherwise I think you're out of luck.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.