Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
knet4
New Contributor

Session table and 2 ISP

Hello,

 

When we have break internet to ISP1, all traffic is switched to ISP2. When the internet connected for ISP1 came back, some sessions stay on ISP2. We must clear session on Fortigate (sip connection don't work).

What can we do to clear the session table when changing the network?

3 REPLIES 3
lobstercreed
Valued Contributor

Hi Jan,

 

This is normal behavior.  It would generally be undesirable to break a session just because another route became available.  If it's SIP like you mentioned, any phone calls in progress would be dropped when you clear the sessions.

 

However, I have run into this as well where I want our SIP connections to consistently go out one ISP unless that one is not available.  The problem is that ISP performs maintenance frequently and I would find that my connection had failed over to my other ISP the next day.  My solution was to pick a time after their maintenance but before business hours and run a scheduled script to clear any of my SIP connections on the wrong ISP interface.  This would run daily, and if no connections had failed over there would be nothing to clear, but if something had it would clear it and reconnect on the "right" ISP.

 

This won't do *exactly* what you want, because I don't think you can schedule the script based on an event like that, but you could run the script more frequently if you wanted it to catch the issue sooner.  I just wouldn't recommend it because of it breaking active calls.

 

config system auto-script     edit "clearSIPsessionsToISP1"        set interval 86400          <-- 24 hours in seconds        set repeat 0        set start auto        set script "diagnose sys session filter clear diagnose sys session filter src x.x.x.x    <-- IP redacted, but this is my voice gateway that initiates all SIP connections.  You might be able to use a filter based on destination port for SIP (5060) to catch all connections diagnose sys session filter dint wan1     <-- the interface where the "wrong" ISP is connected diagnose sys session clear"     next

end

 

- Daniel Hamilton

 

knet4

Thank you, Daniel

 

But I have Fortigate Os version 4, and auto-script function is unavailable

lobstercreed
Valued Contributor

I guess no chance of upgrading due to hardware?  Looks like auto-script was added in 5.4

 

5.4 and 5.6 have some amazing features if you can get to them...

 

If you have some way to script an SSH session to connect and run those commands you could still do it I think, but otherwise I think you're out of luck.  

Labels
Top Kudoed Authors