Fortinet black logo

FortiGate-6000 Handbook

Load balancing TCP, UDP, and ICMP sessions with fragmented packets

Load balancing TCP, UDP, and ICMP sessions with fragmented packets

If your FortiGate-6000 receives fragmented TCP, UDP, or ICMP packets, use the following command to make sure the Internal Switch Fabric (ISF) handles them correctly.

config load-balance setting

set sw-load-distribution-method src-dst-ip

end

If sw-load-distribution-method is set to src-dst-ip-sport-dport, fragmented packets may be dropped.

When the DP3 processor receives a header fragment packet, if a matching session is found, the DP3 processor creates an additional fragment session matching the source-ip, destination-ip, and IP identifier (IPID) of the header fragment packet. Subsequent non-header fragments will match this fragment session and be forwarded to the same FPC as the header fragment.

You can use the following configuration to enable or disable this method of handling TCP, UDP, and ICMP sessions with fragmented packets.

config load-balance setting

set dp-fragment-session enable

end

If you disable dp-fragment-session, handling fragmented packets is less efficient because the DP3 processor broadcasts all non-header fragmented TCP, UDP, or ICMP packets to all FPCs. FPCs that also received the header fragments of these packets re-assemble the packets correctly. FPCs that did not receive the header fragments discard the non-header fragments.

The age of the fragment session can be controlled using the following command:

config system global

set dp-fragment-timer <timer>

end

The default <timer> value is 120 seconds. The range is 1 to 65535 seconds.

Load balancing TCP, UDP, and ICMP sessions with fragmented packets

If your FortiGate-6000 receives fragmented TCP, UDP, or ICMP packets, use the following command to make sure the Internal Switch Fabric (ISF) handles them correctly.

config load-balance setting

set sw-load-distribution-method src-dst-ip

end

If sw-load-distribution-method is set to src-dst-ip-sport-dport, fragmented packets may be dropped.

When the DP3 processor receives a header fragment packet, if a matching session is found, the DP3 processor creates an additional fragment session matching the source-ip, destination-ip, and IP identifier (IPID) of the header fragment packet. Subsequent non-header fragments will match this fragment session and be forwarded to the same FPC as the header fragment.

You can use the following configuration to enable or disable this method of handling TCP, UDP, and ICMP sessions with fragmented packets.

config load-balance setting

set dp-fragment-session enable

end

If you disable dp-fragment-session, handling fragmented packets is less efficient because the DP3 processor broadcasts all non-header fragmented TCP, UDP, or ICMP packets to all FPCs. FPCs that also received the header fragments of these packets re-assemble the packets correctly. FPCs that did not receive the header fragments discard the non-header fragments.

The age of the fragment session can be controlled using the following command:

config system global

set dp-fragment-timer <timer>

end

The default <timer> value is 120 seconds. The range is 1 to 65535 seconds.