Why does TCP services are interrupted when quick session backup is enabled in case of inconsistent forward and return paths

32

In case of inconsistent forward and return paths, the synchronization may fail or be delayed due to traffic bursts, result in service delay or interruption. For example, one firewall forwards TCP SYN packets, and the other forwards TCP ACK packets. If the session table is not synchronized,
ACK packets may be discarded.
If this condition poses great impacts on services, disable stateful inspection on the firewall.

Other related questions:
Problem and solution when TCP services are interrupted intermittently when fast backup is enabled on the USG and incoming and outgoing packets are forwarded by active and standby USGs?
If the TCP SYN packet passes through one firewall in hot standby networking and the SYN-ACK packet through the other one but the session table is not yet backed up, the packet is discarded due to status error. When incoming and outgoing packet paths are different and the traffic is relatively heavy, certain services may be interrupted intermittently due to backup delay. If this exerts severe impacts on services, disable link status check.

Problem and solution when the forward and reverse paths of sessions are inconsistent on the USG2000 and USG5000
Configure sticky load balancing on the device.

What are the differences between automatic session backup and quick session backup
The differences between quick session backup and automatic session backup are as follows: -In quick session backup, sessions are synchronized to the standby firewall immediately after being set up. In automatic session backup, only sessions that require backup and are detected by the session aging thread are synchronized to the standby firewall. -The quick session backup function can back up half-open TCP sessions and sessions to the firewall. If the forward and return paths are different, enable quick session backup to ensure that the sessions on the two firewalls are the same.

Which Users May Require CTS?

Users who need to perform the following operations may require CTS:

  • Security analysis
  • Fault locating
  • Tracking of resource changes

Why does not a client initiate a TCP connection
The prerequisite for a client to initiate a TCP connection is: The client receives a Hello message from the peer end and finds itself the destination client based on the transport address carried in the Hello message. If the client does not initiate a TCP connection, check the Hello message receiving and transport address in the received Hello message.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top