Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.0.15 Administration Guide
7.0.15
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

Terminated sessions

Terminated sessions

This section contains information about session failover for communication sessions terminated by the cluster. Sessions terminated by the cluster include management sessions as well as IPsec and SSL VPN, WAN Optimization and so on between the cluster and a client.

In general, most sessions terminated by the cluster have to be restarted after a failover. There are some exceptions though. For example, the FGCP provides failover for IPsec and SSL VPN sessions terminated by the cluster.

Note

The session pickup setting does not affect session failover for sessions terminated by the cluster. Also other cluster settings such as active-active or active-passive mode do not affect session failover for sessions terminated by the cluster.

Protocol

Session failover
Administrative or management connections such as connecting to the GUI or CLI, SNMP, syslog, communication with FortiManager, FortiAnalyzer and so on Not supported, sessions have to be restarted.
Explicit web proxy, WCCP, WAN Optimization and Web Caching Not supported, sessions have to be restarted. See Explicit web proxy, explicit FTP proxy, WCCP, WAN optimization and Web Caching session failover for more information.
IPsec VPN tunnels terminating at the FortiGate Supported. Security associations (SAs) and related IPsec VPN tunnel data is synchronized to cluster members. See IPsec VPN SA sync for more information.
SSL VPN tunnels terminating at the FortiGate Partially supported. Sessions are not synchronized and have to be restarted. Authentication failover and cookie failover is supported for SSL VPN web mode sessions. Authentication failover is not supported for FortiClient SSL VPN sessions. See SSL VPN session failover and SSL VPN authentication failover for more information.
PPTP and L2TP VPN terminating at the FortiGate Not supported; sessions have to be restarted. See PPTP and L2TP VPN sessions for more information.

Explicit web proxy, explicit FTP proxy, WCCP, WAN optimization and Web Caching session failover

Explicit web proxy, explicit FTP proxy, WCCP, WAN optimization and web caching sessions all require the FortiGate to maintain very large amounts of internal state information for each session. This information is not maintained and these sessions do not resume after a failover.

The active-passive HA clustering is recommended for WAN optimization. All WAN optimization sessions are processed by the primary unit only. Even if the cluster is operating in active-active mode, HA does not load-balance WAN optimization sessions.

Web cache and byte cache databases are only stored on the primary unit. These databases are not synchronized to the cluster. So, after a failover, the new primary unit must rebuild its web and byte caches. The new primary unit cannot connect to a SAS partition that the failed primary unit used.

Rebuilding the byte caches can happen relatively quickly because the new primary unit gets byte cache data from the other FortiGates that it is participating with in WAN optimization tunnels.

IPsec VPN SA sync

The FGCP synchronizes IPsec SAs between cluster members so that if a failover occurs, the cluster can resume IPsec sessions without having to establish new SAs. The result is improved failover performance because IPsec sessions are not interrupted to establish new SAs. Also, establishing a large number of SAs can reduce cluster performance.

SSL VPN session failover and SSL VPN authentication failover

Session failover is not supported for SSL VPN tunnels. However, authentication failover is supported for SSL VPN web mode sessions. This means that after a failover, SSL VPN web mode sessions can re-establish the SSL VPN session between the SSL VPN client and the FortiGate without having to authenticate again.

Authentication failover is not supported for FortiClient SSL VPN sessions.

All sessions inside the SSL VPN tunnel that were running before the failover are stopped and have to be restarted. For example, file transfers that were in progress would have to be restarted. As well, any communication sessions with resources behind the FortiGate that are started by an SSL VPN session have to be restarted.

To support SSL VPN cookie failover, when an SSL VPN session starts, the FGCP distributes the cookie created to identify the SSL VPN session to all cluster units.

PPTP and L2TP VPN sessions

PPTP and L2TP VPNs are supported in HA mode. For a cluster you can configure PPTP and L2TP settings and you can also add security policies to allow PPTP and L2TP pass through. However, the FGCP does not provide session failover for PPTP or L2TP. After a failover, all active PPTP and L2TP sessions are lost and must be restarted.

Previous
Next

Terminated sessions

This section contains information about session failover for communication sessions terminated by the cluster. Sessions terminated by the cluster include management sessions as well as IPsec and SSL VPN, WAN Optimization and so on between the cluster and a client.

In general, most sessions terminated by the cluster have to be restarted after a failover. There are some exceptions though. For example, the FGCP provides failover for IPsec and SSL VPN sessions terminated by the cluster.

Note

The session pickup setting does not affect session failover for sessions terminated by the cluster. Also other cluster settings such as active-active or active-passive mode do not affect session failover for sessions terminated by the cluster.

Protocol

Session failover
Administrative or management connections such as connecting to the GUI or CLI, SNMP, syslog, communication with FortiManager, FortiAnalyzer and so on Not supported, sessions have to be restarted.
Explicit web proxy, WCCP, WAN Optimization and Web Caching Not supported, sessions have to be restarted. See Explicit web proxy, explicit FTP proxy, WCCP, WAN optimization and Web Caching session failover for more information.
IPsec VPN tunnels terminating at the FortiGate Supported. Security associations (SAs) and related IPsec VPN tunnel data is synchronized to cluster members. See IPsec VPN SA sync for more information.
SSL VPN tunnels terminating at the FortiGate Partially supported. Sessions are not synchronized and have to be restarted. Authentication failover and cookie failover is supported for SSL VPN web mode sessions. Authentication failover is not supported for FortiClient SSL VPN sessions. See SSL VPN session failover and SSL VPN authentication failover for more information.
PPTP and L2TP VPN terminating at the FortiGate Not supported; sessions have to be restarted. See PPTP and L2TP VPN sessions for more information.

Explicit web proxy, explicit FTP proxy, WCCP, WAN optimization and Web Caching session failover

Explicit web proxy, explicit FTP proxy, WCCP, WAN optimization and web caching sessions all require the FortiGate to maintain very large amounts of internal state information for each session. This information is not maintained and these sessions do not resume after a failover.

The active-passive HA clustering is recommended for WAN optimization. All WAN optimization sessions are processed by the primary unit only. Even if the cluster is operating in active-active mode, HA does not load-balance WAN optimization sessions.

Web cache and byte cache databases are only stored on the primary unit. These databases are not synchronized to the cluster. So, after a failover, the new primary unit must rebuild its web and byte caches. The new primary unit cannot connect to a SAS partition that the failed primary unit used.

Rebuilding the byte caches can happen relatively quickly because the new primary unit gets byte cache data from the other FortiGates that it is participating with in WAN optimization tunnels.

IPsec VPN SA sync

The FGCP synchronizes IPsec SAs between cluster members so that if a failover occurs, the cluster can resume IPsec sessions without having to establish new SAs. The result is improved failover performance because IPsec sessions are not interrupted to establish new SAs. Also, establishing a large number of SAs can reduce cluster performance.

SSL VPN session failover and SSL VPN authentication failover

Session failover is not supported for SSL VPN tunnels. However, authentication failover is supported for SSL VPN web mode sessions. This means that after a failover, SSL VPN web mode sessions can re-establish the SSL VPN session between the SSL VPN client and the FortiGate without having to authenticate again.

Authentication failover is not supported for FortiClient SSL VPN sessions.

All sessions inside the SSL VPN tunnel that were running before the failover are stopped and have to be restarted. For example, file transfers that were in progress would have to be restarted. As well, any communication sessions with resources behind the FortiGate that are started by an SSL VPN session have to be restarted.

To support SSL VPN cookie failover, when an SSL VPN session starts, the FGCP distributes the cookie created to identify the SSL VPN session to all cluster units.

PPTP and L2TP VPN sessions

PPTP and L2TP VPNs are supported in HA mode. For a cluster you can configure PPTP and L2TP settings and you can also add security policies to allow PPTP and L2TP pass through. However, the FGCP does not provide session failover for PPTP or L2TP. After a failover, all active PPTP and L2TP sessions are lost and must be restarted.

Previous
Next