Problem and solution when TCP services are interrupted intermittently when fast backup is enabled on the USG and incoming and outgoing packets are forwarded by active and standby USGs?

19

If the TCP SYN packet passes through one firewall in hot standby networking and the SYN-ACK packet through the other one but the session table is not yet backed up, the packet is discarded due to status error. When incoming and outgoing packet paths are different and the traffic is relatively heavy, certain services may be interrupted intermittently due to backup delay. If this exerts severe impacts on services, disable link status check.

Other related questions:
Why does TCP services are interrupted when quick session backup is enabled in case of inconsistent forward and return paths
In case of inconsistent forward and return paths, the synchronization may fail or be delayed due to traffic bursts, result in service delay or interruption. For example, one firewall forwards TCP SYN packets, and the other forwards TCP ACK packets. If the session table is not synchronized, ACK packets may be discarded. If this condition poses great impacts on services, disable stateful inspection on the firewall.

Problem and solution when active/standby switchover frequently occurs
Check the service interface status first. If the service interface repeatedly switches between Down and Up, repeated hot standby switchover is triggered. If the service interface is normal, it is usually because the intervals for sending heartbeat packets on the two firewalls are different. Modify them so that they are the same.

Problem and solution when the active/standby switchover is not performed sometimes when the interface is faulty
Check the HRP priorities on both firewalls. When the interface of the active firewall is faulty, the priority is decreased by 2. If the decreased priority is still higher than or equal to the priority of the standby firewall, active/standby switchover does not occur.

Problem and solution when the sessions of the current active firewall are tagged with remote after active/standby switchover
Sessions with the remote tag are synchronized from the originally active firewall. After active/standby switchover, the backup session entries are still tagged with remote until they are aged out.

Problem and solution when an intranet PC cannot access the server after active/standby server switchover
This case applies only to V100R001. A firewall is deployed between an intranet PC and two servers. The two servers work in active/standby mode. A floating IP address residing on the same network segment as the firewall is used to correspond to two physical MAC addresses to implement the active/standby mechanism. In this scenario, ARP spoofing attack defense cannot be configured on the firewall. Otherwise, services will be interrupted after active/standby switchover. You need to run the undo firewall defend arp-spoofing enable command to disable ARP spoofing attack defense. For details, see when the server switch over the vitual IP to the slave one, it can’t ping.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top