Troubleshooting Tip: FGCP Active-Active Certificate + Proxy inspection + UTM access issue

This article explains the reason for having issues accessing some HTTPS websites when FortiGate is deployed in FGCP Active-Active mode on firmware v7.4 onward.

Based on documentation, active-active HA does not load balance HTTPS sessions that are enabled with SSL deep packet inspection or certificate inspection: HA and load balancing.

When performing WAD debug on the secondary unit (refer to this KB article Technical Tip: Using the 'diagnose wad debug' command to troubleshoot Explicit Web Proxy related issues on WAD debugging), the following error would be observed:

[I]2025-04-02 06:18:09.605595 [p:453][ct:0x7ffadcb45048] wad_ssl_cic_client_task_timeout :2740 cic_clt task(0x7ffadcb45048/7) timeout_period(10000/2000)!
...
[I]2025-04-02 06:18:16.908984 [p:453][s:2902572816] wad_ssl_cic_client_task_check_ctx_timeout:1880 ctx(0x7ffadeb30048/6) is timeout! task(0x7ffadcb45108/7)!
...

[I]2025-04-02 06:18:16.909010 [p:453][s:2902572816] wad_ssl_proxy_srv_on_cic_lookup_done:14541 wsp(0x7ffadeb35410/6) v(0304) 192.168.255.100:53417->13.107.6.156:443 cic task failed, lookup-failure, block

This indicates that HTTPS traffic is load-balanced to the secondary unit and CIC check failed because unable to reach internet via heartbeat link. The issue is still under investigation.