Fortinet black logo

Cookbook

Disabling stateful SCTP inspection

Copy Link
Copy Doc ID 4e2e9371-e0d6-11ea-96b9-00505692583a:745982
Download PDF

Disabling stateful SCTP inspection

There is an option in FortiOS to disable stateful SCTP inspection. This option is useful when FortiGates are deployed in a high availability (HA) cluster that uses the FortiGate Clustering Protocol (FGCP) and virtual clustering in a multihoming topology. In this configuration, the primary stream control transmission protocol (SCTP) path traverses the primary FortiGate node by using its active VDOM (for example, VDOM1), and the backup SCTP path traverses the other passive FortiGate node by using its active VDOM (for example, VDOM2).

When stateful SCTP inspection is enabled, SCTP heartbeat traffic fails by means of the backup path because the primary path goes through a different platform and VDOM. Since there is no state sharing between VDOMs, the passive FortiGate is unaware of the original SCTP session and drops the heartbeats because of no associated sessions. When stateful SCTP inspection is disabled, the passive node permits the SCTP heartbeats to pass.

When set to enable, SCTP session creation without SCTP INIT is enabled. When set to disable, SCTP session creation without SCTP INIT is disabled (this is the default setting):

config system settings

set sctp-session-without-init {enable | disable}

end

The following is an example topology and scenario:

In this example, FGT_A and FGT_B are in HA a-p mode with two virtual clusters. Two primary devices exist on different FortiGate units. PC1 eth1 can access PC5 eth1 through VDOM1, and PC1 eth2 can access PC5 eth2 through VDOM2.

On PC5, to listen for an SCTP connection:

sctp_darn -H 172.16.200.55 -B 172.17.200.55 -P 2500 -l

On PC1, to start an SCTP connection:

sctp_darn -H 10.1.100.11 -B 20.1.100.11 -P 2600 -c 172.16.200.55 -c 172.17.200.55 -p 2500 -s

An SCTP four-way handshake is on one VDOM, and a session is created on that VDOM. With the default configuration, there is no session on any other VDOM, and the heartbeat on another path (another VDOM) is dropped. After enabling sctp-session-without-init, the other VDOM creates the session when it receives the heartbeat, and the heartbeat is forwarded:

config system settings
  set sctp-session-without-init enable
end

Disabling stateful SCTP inspection

There is an option in FortiOS to disable stateful SCTP inspection. This option is useful when FortiGates are deployed in a high availability (HA) cluster that uses the FortiGate Clustering Protocol (FGCP) and virtual clustering in a multihoming topology. In this configuration, the primary stream control transmission protocol (SCTP) path traverses the primary FortiGate node by using its active VDOM (for example, VDOM1), and the backup SCTP path traverses the other passive FortiGate node by using its active VDOM (for example, VDOM2).

When stateful SCTP inspection is enabled, SCTP heartbeat traffic fails by means of the backup path because the primary path goes through a different platform and VDOM. Since there is no state sharing between VDOMs, the passive FortiGate is unaware of the original SCTP session and drops the heartbeats because of no associated sessions. When stateful SCTP inspection is disabled, the passive node permits the SCTP heartbeats to pass.

When set to enable, SCTP session creation without SCTP INIT is enabled. When set to disable, SCTP session creation without SCTP INIT is disabled (this is the default setting):

config system settings

set sctp-session-without-init {enable | disable}

end

The following is an example topology and scenario:

In this example, FGT_A and FGT_B are in HA a-p mode with two virtual clusters. Two primary devices exist on different FortiGate units. PC1 eth1 can access PC5 eth1 through VDOM1, and PC1 eth2 can access PC5 eth2 through VDOM2.

On PC5, to listen for an SCTP connection:

sctp_darn -H 172.16.200.55 -B 172.17.200.55 -P 2500 -l

On PC1, to start an SCTP connection:

sctp_darn -H 10.1.100.11 -B 20.1.100.11 -P 2600 -c 172.16.200.55 -c 172.17.200.55 -p 2500 -s

An SCTP four-way handshake is on one VDOM, and a session is created on that VDOM. With the default configuration, there is no session on any other VDOM, and the heartbeat on another path (another VDOM) is dropped. After enabling sctp-session-without-init, the other VDOM creates the session when it receives the heartbeat, and the heartbeat is forwarded:

config system settings
  set sctp-session-without-init enable
end