IKE monitor for FGSP
Split-brain situations occur in a scenario where session synchronization is down between two FGSP peers. This can have an effect if IKE fails over from one unit to another, causing the tunnel to be invalid due to the IKE session and role being out of sync, and ESP anti-replay detection. In split-brain situations, the IKE monitor provides a mechanism to maintain the integrity of the state tables and primary/secondary roles for each VPN gateway. It continues to provide fault tolerance by keeping track of the timestamp of the latest received traffic, and it uses the ESP sequence number jump ahead value to preserve the sequence number per gateway. Once the link is up, the cluster resolves the role and synchronizes the session and IKE data. During this process, if the IKE fails over from one unit to another, the tunnel will remain valid and traffic continues to flow.
The IKE monitor only works with 2 peers in FGSP. |
To configure the IKE monitor:
config system cluster-sync edit <id> set peerip <address> set ike-monitor {enable | disable} set ike-monitor-interval <integer> set ike-heartbeat-interval <integer> set ike-seqjump-speed <integer> next end
ike-monitor {enable | disable} |
Enable/disable IKE HA monitor (default = disable). |
ike-monitor-interval <integer> |
Set the monitoring interval for determining how fast the cluster members detect split-brain mode, in seconds (10 - 300, default = 15). |
ike-heartbeat-interval <integer> |
Set the heartbeat message interval for sending the heartbeat per gateway to the other peers, in seconds (1 - 60, default = 3). |
ike-seqjump-speed <integer> |
Set the ESP jump ahead factor, in packets per second equivalent (1 - 10, default = 10). A value of 10 means it is the factor for a 10G interface. |
Example
In this example, FortiGate A and FortiGate B are FGSP peers with port3 as the session synchronization link. The FortiGates act as IPsec dial-up servers and PCs on the 10.1.100.0 subnet are the IPsec dial-up clients. Router A acts as the external load balancer for IKE sessions between the FortiGates. Dynamic routing OSPF is configured for the FortiGates and routers.
When PC2 and other clients form IPsec dial-up tunnels to the FGSP peers, these tunnels terminate on either FortiGate A or FortiGate B, not both. For each tunnel, one FortiGate is the primary and the other is the secondary.
When the session synchronization link goes down, the FGSP split-brain scenario occurs. Without using the IKE monitor mechanism, the IKE and ESP information becomes out of sync between the two FortiGates. The secondary FortiGate for a tunnel does not receive any information about updated tunnel status. If there is a failover and tunnel traffic begins to flow to the secondary FortiGate, the tunnel will be invalidated because its state tables for that session are out of sync.
By using the IKE monitor when a split-brain scenario occurs, each unit starts periodically monitoring traffic flows and managing the sequence number jump ahead on standby units. Using a combination of timers with ESP sequence number jump ahead lets the units maintain integrity of the shared SA runtime state table, including ESP anti-replay sequence numbers.
Once the session synchronization link is up, the FGSP peers synchronize the state tables and resume regular operations.
To configure the IKE monitor:
config system cluster-sync edit 1 set peerip 10.10.10.2 set ike-monitor enable set ike-monitor-interval 12 set ike-heartbeat-interval 2 set ike-seqjump-speed 2 next end