FGSP session synchronization between different FortiGate models or firmware versions
FGSP HA deployments are generally meant for interoperating between FortiGates with the same model and firmware version. However, situations may arise where individual members or FGCP clusters running over FGSP use different models or firmware versions. For example, to avoid downtime while upgrading the members, some FGSP members or clusters may be upgraded first and then re-join the FGSP peers after a successful upgrade. Or while performing maintenance, sessions may need to be offloaded to a temporary member or FGCP cluster of a different model.
Being able to perform FGSP session synchronization between members of different models or firmware versions is helpful to transition the traffic smoothly and causes minimal disruptions. This topic outlines requirements to be aware of before assessing whether FGSP session synchronization may work between members with different models or firmware versions.
Different FortiGate models
The general guideline is to only use FortiGate models in a similar tier and family. Vastly different models have different performance and capabilities, which may not be compatible. The goal is for two models to have similar capabilities so that data structures used in session synchronization will match, and are capable of delivering similar performance.
When considering FGSP session synchronization between two FortiGates, ensure that:
-
The FortiGates use the same 32-bit kernel or 64-bit kernel.
-
The FortiGates use the same type of CPU (such as ARM or x86).
-
For network interfaces:
-
The same type of physical interface should be used on each member.
-
The physical interfaces should be capable of the same speeds.
-
-
The device memory should be similar in size. If the FortiGates have vastly different memory sizes, their performance may be different if one device supports more sessions than the other.
-
The configurations related to session tables should match. For example, the logical names used in firewall policies, IPsec interface names, VDOM names, firewall policy tables, and so on.
Virtual clusters and asymmetric routing are not supported. |
Different firmware versions
When operating in FGSP, the firmware needs to have compatible data structures and session synchronization packet headers. The firmware is generally able to handle different data structures between old and new FortiOS sessions. Session synchronization packets are typically the same between versions.
Note the following exceptions and guidelines when assessing FGSP session synchronization compatibility between different firmware versions:
- FortiOS 7.0.2 added support for widening the HA virtual MAC address range. This change updated the session synchronization packet header structure.
- FortiGates running 7.0.2 or later, and FortiGates running 7.0.1 or earlier will not accept session synchronization packets from each other.
- If the traffic uses a new feature only available in a newer FortiOS version, it may not work when synchronized to an older FortiOS version.
- For example, PFCP (Packet Forwarding Control Protocol) support was added in 7.0.1, and a PFCP profile name was added to the sessions. When the sessions are synchronized to an older firmware version, the PFCP profile name will be lost and the sessions will not be able to handle the traffic as they would in 7.0.1.
- FortiOS 7.0.8 added
group-id
into the protocol header. This means that FortiGates running 7.0.8 and later cannot perform session synchronization with FortiGates running 7.0.7 or earlier.
To identify that session-sync is failing due to the receiver not being able to recognize a packet that it receives:
-
Run the following CLI command:
# diagnose sys session sync sync_ctx: sync_started=1, sync_tcp=1, sync_others=1, sync_expectation=1, sync_nat=1, stdalone_sesync=1. sync: create=323:0, update=84662, delete=0:0, query=960 recv: create=39544:0, update=133665, delete=0:0, query=38775 ses pkts: send=248714, alloc_fail=0, recv=751196, recv_err=1 sz_err=0 udp pkts: send=8, recv=85 nCfg_sess_sync_num=5, mtu=1500, ipsec_tun_sync=0 sync_filter:
-
Check if the
recv_err
counter continues to increase.
Session synchronization interfaces
Session synchronization between FGSP members uses an L3 connection over the peer IP by default.
Session synchronization between FGSP members uses an L2 connection when a session synchronization interface (session-sync-dev
) is used. The synchronization process is also offloaded to the kernel.
FGSP is also compatible with FortiGate VRRP. |