SD-WAN load balancing breaks sessions

bibnet · ‎11-22-2023

Hi,

we use a FortiGate 7.4.1 with two independent ISP Connections.

With hundreds of Students surfing, our bandwith runs very often into limitations.

To priorize the various traffic i have tried SD-WAN Rules to one or another ISP Line.

If i simply try to spread traffic between the two interfaces by "Best Quality" or "Lowest cost (SLA)" both ways work fine by directing new traffic to the interface with the best SLA.

The problem is, Sessions are interrupted when a switch between the interfaces occours.

I already tried the option "preserve-session-route enable" on our WAN Interfaces but this didn't change anything.

Any help appreciated.

xshkurti · ‎11-22-2023

@bibnet

You can try a couple of settings here.

1. Enable aux sessions

config system settings

set auxillary-session enable

end

2. change firewall policy to not reevaluate sessions after a route change

config system settings

set firewall-session-dirty check-new

end

Please try one of the above, or both of them and test.

Regards,

View solution in original post

xshkurti · ‎11-22-2023

@bibnet

You can try a couple of settings here.

1. Enable aux sessions

config system settings

set auxillary-session enable

end

2. change firewall policy to not reevaluate sessions after a route change

config system settings

set firewall-session-dirty check-new

end

Please try one of the above, or both of them and test.

Regards,

saneeshpv_FTNT · ‎11-22-2023

Hi @bibnet

In addition to what @xshkurti mentioned you need to see is SNAT is performed on the Interface level for each ISP on the FortiGate Firewall or not

If SNAT is in use, session fail over between Internet accesses is possible only if the same “public IP-range” is used to NAT traffic via all ISPs (BGP/dynamic routing peering needed).

https://community.fortinet.com/t5/FortiGate/Technical-Note-Routing-Change-and-Session-Fail-over-with...

Regards,

bibnet · ‎11-22-2023

Hi @saneeshpv_FTNT

sorry for my limited knowledge..
What does SNAT on interface level mean?

Our Firewall is configured in NAT-Mode, on interface level i don't see an NATing option.

Any traffic outbound is NATed in the corresponding Policy.

bibnet · ‎11-22-2023

Thanks for your help.

The first Tipp didn't change anything, but the second one seems to do the job.

Currently the load has dropped for today, but i will observe the situation tomorrow.

xshkurti · ‎11-22-2023

@bibnet
Thanks for the feedback.

If you find this works for you please make that as answer so other community members can find this solution as well.

Regards,

@xshkurti

bibnet · ‎11-29-2023

Under heavy load the switching occours again after implementing Solution 2.

Now i will try it again with both tipps together.

sjoshi · ‎11-22-2023

Hi ibnet,

You can also have a look in below article along with preserve-session-route enable settings

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-SNAT-route-change-to-update-existing...

Salon Raj Joshi

bibnet · ‎11-22-2023

Hi @sjoshi,

thanks for your tipp.

Currently my head is smoking and i try to understand all advices. ;)

The broken sessions were all outbound, none over IPSEC Tunnels between our Branch-Sites.

I don't know if this fits in for my problem.

sw2090 · ‎11-22-2023

interesting. We encounter similar behaviour even in 7.0.x. It had not happened in 6.4.x.

Currently the only workarounds seem to be to not do load balancing at all (i.e. manual device selection) and just use it as fallback, or create an sdwan rule for affected sites that is set to manual device selection for those.

I've already hat tickets open with TAC but up to now there is neither a solution nor a fix for that,

However the thread mentions some options that not even TAC told me about. So I might give those a try.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams