|
Background
When FGSP uses an L3 link to synchronize the sessions, each FGSP member must use the remote FGSP member IP as peer IP as shown below:
# config system cluster-sync
edit 1
set peerip X.X.X.X <- X.X.X.X is the remote FGSP member.
In some cases where the routing table has ECMP routes in the routing table for the peerip address, the source IP of the FGSP packet is based on the routing decision and may not match what is defined in the remote FGSP as peerip. In this case, the receiving side will ignore the packets.
Run the debug command below to confirm the cause of the issue. If the aforementioned scenario is the cause, the results will display 'Y.Y.Y.Y is not declared', where Y.Y.Y.Y is the source IP used based on the routing decision.
# diagnose debug application sessionsync -1
Workaround
To fix this issue, it is necessary to add all possible source addresses as peerip. For example, if the remote FGSP peer has two routes to the local peerIP, it is necessary to add two peerIPs in the cluster sync configuration.
# config system cluster-sync
edit 1
set peerip Z.Z.Z.Z <- The first possible source IP.
next
edit 2
set peerip K.K.K.K <- The second possible source IP.
|
