Description
This article describes an example of a simple TCP 3-way-handshake in HA Active-Active cluster where packet distribution between Master and Slave FortiGate occurs.
The diagram below illustrates the packet flow between the Client and the Server through 2 FortiGate devices in the cluster:
The diagram below illustrates the packet flow between the Client and the Server through 2 FortiGate devices in the cluster:
Detailed sequence :
1) SYN sent to Master Internal interface has Virtual MAC address Internal (V_MAC_Inter)
2) SYN is redistributed to Slave Internal Interface. Source MAC is (Phy_MAC_inter) and Dest MAC is Slave Internal Physical MAC address ( Phy_MAC_Inter)
3) SYN is forwarded from internal interface to External Interface to the external switch connected to the Server
4) SYN/ACK sent from Server to Master External interface
5) SYN/ACK redistributed to Slave (source MAC address is Master virtual MAC address (Phy_MAC_external) and destination MAC address is the Slave external physical MAC (Phy_MAC_Exter)
6) SYN/ACK is forwarded from Slave External interface to Internal Interface toward internal switch to Client
7) ACK is sent from Client to Master Internal interface
8) ACK redistributed to Slave
9) ACK forwarded from internal interface to external interface toward external switch to Server.
10) TCP 3 way hand-shake completes
Note.
Client and Server do not know about the existence of Slave FortiGate.
The ARP table of both devices are all pointing to the Virtual MAC address, internal and external respectively.
In case of failover, FGT2 becomes Master and will broadcast its VMAC address out to the Switches 1 and 2 which will update their MAC forwarding table. ARP entries on both Client and Server remain the SAME.
Related document.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/678636/nat-mode-a-a-packet-flow
Scope
All FortiOS
