| Description | This article explains a possible root cause of FGSP's (FortiGate Session Life Support Protocol) asymmetric traffic drop due to session sync latency. |
| Scope | FortiOS. |
| Solution |
Background:
- With FGSP asymmetric traffic, including cases where the TCP 3-way handshake is split between two FGSP members. For example, if FGT-A receives TCP-SYC from the internal Network and the TCP-SYC-ACK arrives at FGT-B before the session from FGT-A is synchronized to FGT-B, FGT-B will drop by default.
- The cause of this issue is that the sessions are not synchronized fast enough due to session link/route latency.
Troubleshooting:
- Sniffer, debug flow, and session list with filters to confirm the issue. - Important FGSP session state: Session creation, the FGSP member who receives the first packet will create the session and after the session is synchronized to the other FGSP member the first FGSP member will include a synced flag in the session state, and the other FGSP member will show syn_ses flag in the session state. - Debug flow: On the debug flow, if the session is not synchronized or not synchronized fast enough, it will display msg="no session matched" in the debug flow.
Solution: - It is highly recommended that FGSP links are fast and reliable. Still, if it is not possible, it is possible to make the affected traffic symmetric or configure FortiGate to allow TCP traffic even if the first packet TCP-SYC is not seen by using the below command in the matching policy.
# config firewall policy end
- Note: it is important to note that enabling TCP sessions without SYN on a firewall can also introduce security risks. Thus, this technique should only be used when it is necessary. |
