Hello Steve,
Node0: secondary (backup)
Node1: primary (active)
We notice that when setting up the ftp session after few seconds, the session fails inside a default idle-time out of 1800.
We see that sessions are created on both node0 and node1. The timeout on node1, the active node is initially on 20 seconds, on the inactive (backup) node0 it is on (1800 x 8). This is expected behavior, which can also be found in the documentation.
However, what we observe afterwards is that the return traffic is matched on the session on node0 and not node1. Because the session on node1 never processes an ack on the syn it falls into a timeout. This ensures that both sessions are then cleaned up. So after 20 seconds after the start of the connection, I see the sessions fall into an idle timeout.
So the issue is not about FTP ALG/PASSIVE, thats seems to work. Instead is about processing assymetric traffic between the two nodes. I dont know if this is a bug in the chassis cluster between nodes?.
What i also did as a testscenario, is that i disabled one uplink on the backup node0, and the second uplink is active towards node1 and made sure that all traffic will be proccessed on th the active node1. And that seems to work well. But when i anabled the uplink towards node0 then problem seems to appear again, I do not know if it is due to asymmetric traffic over the nodes, because if traffic goes into secondary requesting to establish a session, it should be failed. This traffic is only ment for failover.
Also sometimes we see that the backup node0 timeout my sessions, while on active node the session timeout is on 1800.
#show route 172.16.4.0/25
inet.0: 28 destinations, 28 routes (28 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
172.16.4.0/25 *[Static/5] 1w1d 14:10:16
> via st0.10
#show security flow session destination-prefix 172.16.4.0/25 source-prefix 172.23.168.0/21
node0:
--------------------------------------------------------------------------
Session ID: 174627, Policy name: VPN-PROD-to-CUST/120, State: Active, Timeout: 1796, Valid
In: 172.23.173.2/38944 --> 172.16.4.6/21;tcp, Conn Tag: 0x0, If: reth1.20, Pkts: 0, Bytes: 0,
Out: 172.16.4.6/21 --> 172.39.31.39/17751;tcp, Conn Tag: 0x0, If: st0.10, Pkts: 7, Bytes: 544,
Total sessions: 1
node1:
--------------------------------------------------------------------------
Session ID: 298383, Policy name: VPN-PROD-to-CUST/120, State: Active, Timeout: 8, Valid
In: 172.23.173.2/38944 --> 172.16.4.6/21;tcp, Conn Tag: 0x0, If: reth1.20, Pkts: 10, Bytes: 570,
Out: 172.16.4.6/21 --> 172.39.31.39/17751;tcp, Conn Tag: 0x0, If: st0.10, Pkts: 0, Bytes: 0,
Total sessions: 1
{primary:node1}