When the dynamic route changes, sessions are kept on the wrong interface.
We have version 6.4.5 installed on our FWG100F.
I have configured a dynamic routing through BGP and using a performance SLA to our DataCenter by 2 ways, (optical fibre and IPsec tunnel).
When the Fibre (main) goes down, the secondary route "tunnel Ipsec" is up correctly, but when the main line recovers, the Firewall keeps the old sessions, going out through the wrong interface (standby) and does not work correctly.
Researching I have read that this can be solved for NAT connections by enabling "snat-route-change", but in our case the sessions are not with NAT, being internal communication. We have tested it and it works, but obviously we can't use it since it is internal communication and we always need to be able to see the origin of the communications.
Someone knows what could be going on? I've read that others don't have the same problem for IPsec sessions with SLA performance without NAT.
I have similar issue with you, in my scenario I have a fiber as primary line and IPSec as backup, both of them establish a BGP peer to advertise routes.
During failover some session will down and here is some debug outputs, common reasons are RPF check fail and no active session on FortiGate ( FG 200F , V7.2.1 )
And I find this tcp-session-without-syn option in policy, I think it may work well, I have test for serval times, Not sure if this is a elegant solution, I'm waiting for my local support respond, just put it here ahead.
Thanks, but in my environment I don't have any NAT config since our network is a flat fabric. 2 sites connected by the Fiber leased line OR IPSec, all traffic is L3 routing without NAT.
So the problem I faced here is when the BGP is down, all sessions will broken and my users can feel it ( which is not great for me ).
And Hi @aionescu I tried this preserve-session-route option as well, but it doesn't help me. From debug flow I can see the complain "RPF fail" and "no session".
RPF I think is because 2 sides BGP convergence time is not equal, and "no session" TAC told me because traffic arrived before routing change, so the session is not "dirty" at that time so FGT marked these traffic "no session".
I don't know if I'm right but I enabled TCP session without SYN looks good now.
I'm assuming both sides are advertising/learning the same routes to/from the other end on both circuits with eBGP. Then I would set the local preference on the primary learned routes higher than secondary. Then when the primary BGP comes back up, almost instantaneously the primary routes would take over from the backup ones.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.