Synchronizing sessions between FGCP clusters
FortiGate-6000 supports using FGSP to synchronize sessions among up to four FortiGate-6000 FGCP clusters. All of the FortiGate-6000s must be the same hardware model.
FGSP between FGCP clusters synchronizes sessions between the primary FortiGate-6000s in each cluster. FGCP HA then handles session synchronization between FortiGate-6000s in each FGCP cluster.
For details about FGSP between FGCP clusters, see: Synchronizing sessions between FGCP clusters.
You can use data interfaces or data interface LAGs as FGSP session synchronization interfaces. The HA1 and HA2 interfaces are used for FGCP HA heartbeat between the FortiGate-6000s in each FGCP cluster.
FortiGate-6000 synchronizing sessions between FGCP clusters has the following limitations:
- The FGCP clusters cannot be configured for virtual clustering.
- NAT between the session synchronization interfaces is not supported.
- Standalone configuration synchronization between the FCGP clusters is not supported.
- Inter-cluster session synchronization doesn't support setting up IPv6 session filters using the
config session-sync-filter
option. - When ICMP load balancing is set to
to-primary
, ICMP packets are not installed on the DP processor. In an FGSP between FGCP session synchronization configuration with an asymmetry topology, synchronized ICMP packets will be dropped if the clusters have selected a different primary FPC. To avoid this possible traffic loss, setdp-icmp-distribution-method
tosrc-ip
,dst-ip
, orsrc-dst-ip
. - Asymmetric IPv6 SCTP traffic sessions are not supported. These sessions are dropped.
-
FGSP IPsec tunnel synchronization is not supported.
- Session synchronization packets cannot be fragmented. So the MTU for the session synchronization interface should be supported by the network.
- To reduce the number of failovers and the amount of session synchronization traffic, configuring HA override on the FGCP clusters is not recommended.