Technical Tip: 'Access Denied' error while accessing the Virtual Server with HTTP and HTTPS cookie persistence

The HTTP cookie persistence ensures that the user should connect to the same server, however, if that server gets unreachable then the user will face the 'Access Denied' error.

To fix the issue, it could be understood with the help of the below Virtual Server configuration.

# config firewall VIP
    edit VIRTUAL-SERVER
        set type server-load-balance
        set server-type https
        set extport 443
        set extintf wan1
        set extip 172.30.1.1
        set persistence http-cookie

# config realservers
    edit 1
        set ip 192.168.1.1
        set port 80
    next
    edit 2
        set ip 192.168.1.2
        set port 80
    next
    edit 3
        set ip 192.168.1.3
        set port 80
end

If the real server 192.168.1.1 becomes unreachable then the users trying to access the Virtual Server with the HTTP cookies already injected in the user's web browser will face an 'Access Denied' error.

The rest of the real servers 192.168.1.2 and 192.168.1.3 would be accessible using their respective HTTP cookies already injected in the user's web browsers.

New users with no HTTP cookies stored in the Web Browser will not face any issues as a new session would be created either with a real server 192.168.1.2 or 192.168.1.3 according to the Load Balance Method configured.

Related Article:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/63877/http-and-https-load-balancing-multiplexing-and-persistence
https://docs.fortinet.com/document/fortigate/7.0.4/administration-guide/713497/virtual-server-load-balance