Fortinet black logo

New Features

GTP in Asymmetric Routing

Copy Link
Copy Doc ID 761d83e3-4a7b-11e9-94bf-00505692583a:937562
Download PDF

GTP in Asymmetric Routing

FortiOS 6.2.0 improves communication for FortiGates acting as a GPRS Tunneling Protocol (GTP) firewall that is deployed in asymmetric routing environments. Previously in asymmetric routing environments, the GTP-C reply might be processed before the GTP-C request was fully synchronized by FortiGate Session Life Support Protocol (FGSP), which resulted in dropped sessions. With FortiOS 6.2.0, communication is improved by adding a new set gtp-asym-fgsp command in system settings that allows two members in FGSP to synchronize the GTP-C message.

Example

FOC-A-171 and FOC-B-172 are two FGSP members.

SGSN Simulator (10.1.100.60) generates a GTP-C request that is passed through FGT-175 to reach FGSP member FOC-A-171, but the response GTP-C from GGSN Simulator(172.16.200.61) is passed through FGT-176 to reach another FGSP member FOC-B-172. Previously in this asymmetric topology, FOC can't help establish the GTP tunnel between SGSN Simulator and GGSN Simulator.

However with the set gtp-asym-fgsp command, two members in FGSP can synchronize the GTP-C message. In both FOC-A-171 and FOC-B-172, when the set gtp-asym-fgsp command is enabled, the SGSN Simulator can obtain the correct tunnel private IP address(192.168.0.2) and establish the GTP tunnel with GGSN Simulator.

Check on the SGSN simulator:

root@mmsclient:~# sgsnemu -c /root/openggsn-0.84/examples/fgt_sgsnemu.conf &

[1] 5592

root@mmsclient:~# cmdline_parser_configfile

remote: 172.16.200.61

listen: 10.1.100.60

conf: /root/openggsn-0.84/examples/fgt_sgsnemu.conf

debug: 1

imsi: 310150123456789

qos: 0x0b921f

charging: 0x800

apn: internet

msisdn: 6044301297

uid: mig

pwd: hemmelig

pidfile: ./sgsnemu.pid

statedir: ./

contexts: 1

timelimit: 0

createif: 1

ipup: /etc/sgsnemu/ip-up

ipdown: /etc/sgsnemu/ip-down

defaultroute: 1

pingrate: 1

pingsize: 56

pingcount: 0

pingquiet: 0

Using default DNS server

Local IP address is: 10.1.100.60 (10.1.100.60)

Remote IP address is: 172.16.200.61 (172.16.200.61)

IMSI is: 310150123456789 (0xf987654321051013)

Using NSAPI: 0

Using GTP version: 1

Using APN: internet

Using selection mode: 1

Using MSISDN: 6044301297

Initialising GTP library

openggsn[5592]: GTP: gtp_newgsn() started

Setting up interface

Done initialising GTP library

Sending off echo request

Setting up PDP context #0

Waiting for response from ggsn........

idletime.tv_sec 3, idleTime.tv_usec 0

Received echo response

idletime.tv_sec 3, idleTime.tv_usec 0

Received create PDP context response. IP address: 192.168.0.2 <--------NOTE

Check on FOC that the GTP tunnel was established successfully:

FOC-A-171(vdom1) # dia firewall gtp tunnel list

list gtp tunnels

-----------prof=gtpp ref=6 imsi=310150123456789 msisdn=6044301297 mei=unknown ms_addr=192.168.0.2 s11_s4 0-----------

-----------index=00000001 life=2082(sec) idle=41(sec) vd=3 ver=1-----------

c_pkt=4 c_bytes=506 u_pkt=0 u_bytes=0

downlink cfteid:

addr=10.1.100.60 teid=0x00000001 role=control vd=3 intf_type=gn-gp sgsn gtp-c

uplink cfteid:

addr=172.16.200.61 teid=0x00000001 role=control vd=3 intf_type=gn-gp ggsn gtp-c

1/1 bearers:

id=0 linked_id=0 type=regular dead=0 apn=internet selection=ms-provided-apn user_addr=192.168.0.2 u_pkt=0 u_bytes=0

2 fteids:

addr=10.1.100.60 teid=0x00000001 role=data vd=3 intf_type=gn-gp sgsn gtp-u

addr=172.16.200.61 teid=0x00000001 role=data vd=3 intf_type=gn-gp ggsn gtp-u

GTP in Asymmetric Routing

FortiOS 6.2.0 improves communication for FortiGates acting as a GPRS Tunneling Protocol (GTP) firewall that is deployed in asymmetric routing environments. Previously in asymmetric routing environments, the GTP-C reply might be processed before the GTP-C request was fully synchronized by FortiGate Session Life Support Protocol (FGSP), which resulted in dropped sessions. With FortiOS 6.2.0, communication is improved by adding a new set gtp-asym-fgsp command in system settings that allows two members in FGSP to synchronize the GTP-C message.

Example

FOC-A-171 and FOC-B-172 are two FGSP members.

SGSN Simulator (10.1.100.60) generates a GTP-C request that is passed through FGT-175 to reach FGSP member FOC-A-171, but the response GTP-C from GGSN Simulator(172.16.200.61) is passed through FGT-176 to reach another FGSP member FOC-B-172. Previously in this asymmetric topology, FOC can't help establish the GTP tunnel between SGSN Simulator and GGSN Simulator.

However with the set gtp-asym-fgsp command, two members in FGSP can synchronize the GTP-C message. In both FOC-A-171 and FOC-B-172, when the set gtp-asym-fgsp command is enabled, the SGSN Simulator can obtain the correct tunnel private IP address(192.168.0.2) and establish the GTP tunnel with GGSN Simulator.

Check on the SGSN simulator:

root@mmsclient:~# sgsnemu -c /root/openggsn-0.84/examples/fgt_sgsnemu.conf &

[1] 5592

root@mmsclient:~# cmdline_parser_configfile

remote: 172.16.200.61

listen: 10.1.100.60

conf: /root/openggsn-0.84/examples/fgt_sgsnemu.conf

debug: 1

imsi: 310150123456789

qos: 0x0b921f

charging: 0x800

apn: internet

msisdn: 6044301297

uid: mig

pwd: hemmelig

pidfile: ./sgsnemu.pid

statedir: ./

contexts: 1

timelimit: 0

createif: 1

ipup: /etc/sgsnemu/ip-up

ipdown: /etc/sgsnemu/ip-down

defaultroute: 1

pingrate: 1

pingsize: 56

pingcount: 0

pingquiet: 0

Using default DNS server

Local IP address is: 10.1.100.60 (10.1.100.60)

Remote IP address is: 172.16.200.61 (172.16.200.61)

IMSI is: 310150123456789 (0xf987654321051013)

Using NSAPI: 0

Using GTP version: 1

Using APN: internet

Using selection mode: 1

Using MSISDN: 6044301297

Initialising GTP library

openggsn[5592]: GTP: gtp_newgsn() started

Setting up interface

Done initialising GTP library

Sending off echo request

Setting up PDP context #0

Waiting for response from ggsn........

idletime.tv_sec 3, idleTime.tv_usec 0

Received echo response

idletime.tv_sec 3, idleTime.tv_usec 0

Received create PDP context response. IP address: 192.168.0.2 <--------NOTE

Check on FOC that the GTP tunnel was established successfully:

FOC-A-171(vdom1) # dia firewall gtp tunnel list

list gtp tunnels

-----------prof=gtpp ref=6 imsi=310150123456789 msisdn=6044301297 mei=unknown ms_addr=192.168.0.2 s11_s4 0-----------

-----------index=00000001 life=2082(sec) idle=41(sec) vd=3 ver=1-----------

c_pkt=4 c_bytes=506 u_pkt=0 u_bytes=0

downlink cfteid:

addr=10.1.100.60 teid=0x00000001 role=control vd=3 intf_type=gn-gp sgsn gtp-c

uplink cfteid:

addr=172.16.200.61 teid=0x00000001 role=control vd=3 intf_type=gn-gp ggsn gtp-c

1/1 bearers:

id=0 linked_id=0 type=regular dead=0 apn=internet selection=ms-provided-apn user_addr=192.168.0.2 u_pkt=0 u_bytes=0

2 fteids:

addr=10.1.100.60 teid=0x00000001 role=data vd=3 intf_type=gn-gp sgsn gtp-u

addr=172.16.200.61 teid=0x00000001 role=data vd=3 intf_type=gn-gp ggsn gtp-u