Why are the session tables on the active and standby firewalls different

17

Check the status of the heartbeat link. If the heartbeat link fails, the sessions on the active firewall cannot be synchronized to the standby firewall.

If the automatic session backup function is disabled, the sessions on the two firewalls are different. Even when the automatic session backup function is enabled, sessions are not synchronized in real time. Only when the sessions to be synchronized are detected by the session aging thread, the sessions are synchronized to the standby firewall. Therefore, established sessions are synchronized to the standby firewall after a period (about 10 seconds).

The firewalls do not back up sessions of the following types when the automatic session backup function is enabled:
-Sessions to the firewall
-Half-open TCP connections
-Sessions in which the first packets are UDP packets and subsequent packets are not (such as the BitTorrent packets)

Other related questions:
Why are the sessions of the current active firewall marked with remote after active/standby switchover
The sessions marked with remote are synchronized from the original active firewall. After active/standby switchover, the synchronized sessions are still marked with remote until the sessions age out.

Why are not commands executed on the active firewall synchronized to the standby firewall
If you disable the automatic configuration synchronization function, the configurations are not synchronized. Besides, not all commands can be synchronized. For example, interface and routing configurations cannot be synchronized. For commands that can be synchronized, see Specifications.

Session table query on a firewall
You can query the session table on the web UI and CLI. For the USG6000 series, on the web UI, choose Monitor > Session Table to query the session table and NAT detailed information. For the USG2000&5000 series, on the web UI, choose Firewall > Monitor > Session Table to query the session table. For the USG2000&5000 and USG6000 series, you can run the display firewall session table command to view the session table, or run the display firewall session table nat command to view the NAT session table.

Why does the log server receive NAT session logs from both the active and standby firewalls
If the log configuration is synchronized to the standby firewall, the standby firewall sends logs to the log server. You can perform the following steps to negate the log configuration on the standby firewall: 1. Run the undo hrp auto-sync config command to disable the automatic configuration synchronization function. 2. Negate the log server configuration. 3. Run the hrp auto-sync config command to enable the automatic configuration synchronization. This ensures that subsequent configurations can be automatically synchronized to the standby firewall.

Why are the same configuration Items arranged in different orders in the configuration files on the active and standby firewalls
The fault usually results from inconsistent initial configurations of the two firewalls. You need to delete the configuration items in different orders and reconfigure them. You are advised to configure hot standby based on the default settings.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top