Re: Fortigate HA cluster connect with Nexus 9504-Failover session issu

NeilL391 · ‎04-04-2025

Hi guys,

Need some help now. We have one fortigate HA clutser connected with two Nexus 9504 (Topology in attachment), Each fortigate has two Agg-link. We tried to test some traffics like Telnet and FTP session during Failover, the session has to be restarted (session pickup enabled on fortigate),

the test path is shown below:

remote PC>access sw>Nexus sw>router, the firewall HA cluster is passby on core Nexus sw.

After failed test, we changed the topology between Nexus and fortigate HA cluster, but still with the same result, the FTP session and telnet will disconnect during fairover. （For testing we disconnected the Agg-1 on active firewall for failover manually）. The tac from fortinet said he doesn't know how the peer-link and vPort-channel will react to the MAC flap during failover. Would like to ask is there any issue with the topology design? Many thx!!!

M02@rt37 · ‎04-04-2025

Hello @NeilL391

So bad that Fortinet support can't help you further...

Do you have 'session pickup' enable on each FortiGate HA cluster ? This feature allows the secondary unit to maintain session information, facilitating seamless failover for sessions passing through the cluster.

FGT(global)#config system ha
FGT(ha)#set session-pickup enable

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

NeilL391 · ‎04-04-2025

Hi M02@rt37,

We have already enabled the session pickup on both fortigate devices, we checked all the related configurations, now we worried is about the topology issue, we don't know the traffic clearly during the failover happens.

Fortigate HA cluster connect with Nexus 9504-Failover session issue