This article describes troubleshooting steps for resolving issues where TCP sessions are not synchronized between HA clusters.
Scope
FortiGate.
Solution
First, verify the HA configuration to ensure that TCP sessions are synchronized.
config system ha set group-id 15 set group-name "FGT-dSN-AH1" set mode a-p set sync-packet-balance enable <- To distribute synchronization packets processing to multiple CPUs. set session-sync-dev "port18" "port25" <- The feature to offload session synchronization processing to the kernel can optimize session synchronization for handling heavy loads. set session-pickup enable set priority 250 set monitor "port33" "port34" end
Follow this article to understand session-pick-up: Technical Tip: HA session failover (session pickup).
Afterwards, run the following command to verify HA session statistics:
diag sys ha session-sync-dev
To confirm whether the sessions are in sync, run the following command to identify the session list on both firewalls:
di sys session filter proto 6 di sys session list | grep total
If sessions are not in sync, troubleshoot the following items.
To reduce the waiting time for TCP session expiration on the secondary unit, try changing the default session-ttl settings in all VDOMs to 5 minutes (300 seconds).
config system session-ttl set default 300 end
Verify if the sessions are still in sync or not from both of the firewalls:
di sys session filter proto-6 di sys session list | grep total
If the session is not matching, run the following commands on the secondary node:
di sys session sync reset execute sync-session
Wait for a few minutes and then verify the session list from both firewalls again.