Troubleshooting Tip: Resolving issues with connection to published services through a VIP

Description

This article describes issues connecting to published services through a Virtual IP (VIP) and explains how to resolve them. The user may experience problems when trying to access published services due to incorrect VIP and IPPool configurations.

Scope

FortiGate, FortiManager, FortiAnalyzer.

Solution

To resolve issues connecting to published services through a VIP, follow these steps:

1. Verify the VIP configuration to ensure it is correctly set up and mapped to the internal IP address of the publicized service.
   
   

show firewall vip <name_vip_object>

2. Check the IPPool configuration to ensure it does not overlap with the internal IP address of the published service.

show firewall ippool <name_ippool_object>
diagnose firewall ippool stats

3. Run the command to verify the session information and identify any potential issues.

diagnose sys session list

4. Run the command to verify the session statistics and identify any potential issues.
   
   

diagnose sys session stats

5. Configure the SD-WAN to include both interfaces to ensure correct routing of traffic.

show system sdwan
diagnose sys sdwan member
diagnose sys sdwan route

6. Verify the routing configuration to ensure that the default gateway is correctly set up and that the traffic is being routed correctly.

get router info routing-table all
diagnose sniffer packet any "host <destination_IP>" 4 0 l

Refer to the following documents for more information on validation and troubleshooting VIP objects and IP pools: Troubleshooting Tip: Troubleshooting VIP issues and IP Pool Diagnose commands.