Technical Tip: Collect the debug flow output from the L7 mode HTTPS virtual server policy for troubleshooting

Description

This article outlines the essential outputs to collect and methods for effective troubleshooting with TAC.

Scope

FortiADC.

Solution

Follow the steps below.

1. Open the SSH terminal.

Enable debug flow through the FortiADC CLI, logging the output to a text file.

diagnose debug module ssl-of-httproxy all set

diagnose debug module httproxy ssl_ae_info

diagnose debug module httproxy all

diagnose debug module httproxy set-filter srcip=x.x.x.x(client ip address)

diagnose debug module httproxy set-filter vsname=(VSname)

diagnose debug enable

2. Prepare the packet capture.

Start packet capture on the FortiADC: one for the frontend connection (Client <-> FortiADC) and one for the backend connection (FortiADC <-> Server). If there are multiple backend servers, repeat this process for each server.

• Client IP Filter:

Interface: Select port.

Host IP/Mask: x.x.x.x/32 Client IP.

Port: 443/80 as per Server Policy.

Protocol: TCP.

Max Packet Count: 10000.

• Host Backend Server IP:

Interface: Select port.

Host IP/Mask: x.x.x.x/32 Server IP.

Port: Backend Server port.

Protocol: TCP.

Max Packet Count: 10000.

Select the Play to start the captures for the filters set.

3. Generate the outputs.

Initiate a request from the client and replicate the issue. If a browser is used, clear the cache and restart it, or use an incognito window before initiating the request.

4. Stop the debug.

To stop the debug, execute the command below:

diagnose debug module ssl-of-httproxy all unset

diagnose debug disable

5. Collect the output.

Download the PCAP files from FortiADC and compress them along with the debug flow output text file.