Fortinet black logo

FortiGate-6000 Handbook

Inter-cluster session synchronization

Inter-cluster session synchronization

FortiGate-6000 supports inter-cluster synchronization among up to four FortiGate-6000 FGCP clusters. Inter-cluster session synchronization uses FGSP to synchronize sessions between FGCP clusters. All of the FortiGate-6000s must be the same hardware model.

Enter the following command to enable inter-cluster session synchronization on each FortiGate-6000 FGCP cluster:

config system ha

set inter-cluster-session-sync enable

end

Once you enable inter-cluster session synchronization, all FGSP configuration options are available on each FGCP cluster and you can set up session sync instances to synchronize sessions between the FGCP clusters in the same way as for standalone FortiGates.

FortiGate-6000 inter-cluster session synchronization uses the mgmt3 interface for session synchronization between FGCP clusters. When inter-cluster session synchronization is enabled, the mgmt3 interface cannot be used for any other purpose. The mgmt3 interfaces of all of the FGCP clusters must have IP addresses and must be able to communicate with each other. Since FortiGate-6000 currently supports only one interface for session synchronization, redundant session synchronization is not currently supported. You cannot use the ha1 and ha2 interfaces for inter-cluster session synchronization because they are being used for FGCP HA between the FortiGate-6000s in each FGCP cluster.

Inter-cluster session synchronization can use a lot of bandwidth if the clusters are busy. More bandwidth and lower latency for communication between the mgmt3 interfaces can improve session synchronization performance.

Inter-cluster session synchronization synchronizes sessions between the primary FortiGate-6000s in each cluster. FGCP HA then handles session synchronization between FortiGate-6000s in each FGCP cluster.

For more information about FortiOS inter-cluster session synchronization, see FGSP between FGCP clusters.

FortiGate-6000 Inter-cluster session synchronization has the following limitations:

  • Inter-cluster session synchronization is available only for the FortiGate-6000 (and not the FortiGate-7000).
  • The FGCP clusters cannot be configured for virtual clustering.
  • NAT between mgmt3 interfaces is not supported.
  • Standalone configuration synchronization between the FCGP clusters is not supported.
  • Only the mgmt3 interface can be used to synchronize sessions between clusters.
  • Inter-cluster session synchronization doesn't support setting up IPv6 session filters using the config session-sync-filter option.
  • When ICMP load balancing is set to to-master, ICMP packets are not installed on the DP processor. In an inter-cluster session synchronization configuration with an asymmetry topology, synchronized ICMP packets will be dropped if the clusters have selected a different primary FPC. To avoid this possible traffic loss, set dp-load-distribution-method to src-ip, dst-ip, or src-dst-ip.
  • Asymmetric IPv6 SCTP traffic sessions are not supported. These sessions are dropped.
  • FGSP IPsec tunnel synchronization is not supported.

  • Session synchronization packets cannot be fragmented. So the MTU for the mgmt3 interface should be supported by the network.
  • Jumbo frames on the mgmt3 interface are not supported.
  • To reduce the number of failovers and the amount of session synchronization traffic, configuring HA override on the FGCP clusters is not recommended.

Inter-cluster session synchronization

FortiGate-6000 supports inter-cluster synchronization among up to four FortiGate-6000 FGCP clusters. Inter-cluster session synchronization uses FGSP to synchronize sessions between FGCP clusters. All of the FortiGate-6000s must be the same hardware model.

Enter the following command to enable inter-cluster session synchronization on each FortiGate-6000 FGCP cluster:

config system ha

set inter-cluster-session-sync enable

end

Once you enable inter-cluster session synchronization, all FGSP configuration options are available on each FGCP cluster and you can set up session sync instances to synchronize sessions between the FGCP clusters in the same way as for standalone FortiGates.

FortiGate-6000 inter-cluster session synchronization uses the mgmt3 interface for session synchronization between FGCP clusters. When inter-cluster session synchronization is enabled, the mgmt3 interface cannot be used for any other purpose. The mgmt3 interfaces of all of the FGCP clusters must have IP addresses and must be able to communicate with each other. Since FortiGate-6000 currently supports only one interface for session synchronization, redundant session synchronization is not currently supported. You cannot use the ha1 and ha2 interfaces for inter-cluster session synchronization because they are being used for FGCP HA between the FortiGate-6000s in each FGCP cluster.

Inter-cluster session synchronization can use a lot of bandwidth if the clusters are busy. More bandwidth and lower latency for communication between the mgmt3 interfaces can improve session synchronization performance.

Inter-cluster session synchronization synchronizes sessions between the primary FortiGate-6000s in each cluster. FGCP HA then handles session synchronization between FortiGate-6000s in each FGCP cluster.

For more information about FortiOS inter-cluster session synchronization, see FGSP between FGCP clusters.

FortiGate-6000 Inter-cluster session synchronization has the following limitations:

  • Inter-cluster session synchronization is available only for the FortiGate-6000 (and not the FortiGate-7000).
  • The FGCP clusters cannot be configured for virtual clustering.
  • NAT between mgmt3 interfaces is not supported.
  • Standalone configuration synchronization between the FCGP clusters is not supported.
  • Only the mgmt3 interface can be used to synchronize sessions between clusters.
  • Inter-cluster session synchronization doesn't support setting up IPv6 session filters using the config session-sync-filter option.
  • When ICMP load balancing is set to to-master, ICMP packets are not installed on the DP processor. In an inter-cluster session synchronization configuration with an asymmetry topology, synchronized ICMP packets will be dropped if the clusters have selected a different primary FPC. To avoid this possible traffic loss, set dp-load-distribution-method to src-ip, dst-ip, or src-dst-ip.
  • Asymmetric IPv6 SCTP traffic sessions are not supported. These sessions are dropped.
  • FGSP IPsec tunnel synchronization is not supported.

  • Session synchronization packets cannot be fragmented. So the MTU for the mgmt3 interface should be supported by the network.
  • Jumbo frames on the mgmt3 interface are not supported.
  • To reduce the number of failovers and the amount of session synchronization traffic, configuring HA override on the FGCP clusters is not recommended.