Troubleshooting Tip: Happy Eyeballs fallback fails in proxy mode
| Description | This article describes the behavior, when using Proxy Mode with UTM features enabled, where Happy Eyeballs fallback (as defined in RFC 8305) fails for IPv6 traffic. This occurs because the FortiGate completes the client-side TCP handshake before verifying server-side connectivity. As a result, the client does not receive a fast failure (RST) and does not trigger IPv4 fallback. |
| Scope | FortiOS7.4, FortiOS 7.6. |
| Solution | In a proxy mode policy with the UTM features enabled, a Happy Eyeballs fallback may fail.
edit 1
In Proxy Mode, FortiGate immediately responds with a SYN-ACK to the client, completing the client-side TCP handshake before attempting the server-side connection. If the upstream device silently drops the traffic, no RST is sent back to the client, which disrupts Happy Eyeballs fast fallback. As a result, dual-stack clients do not receive the quick failure signaling they expect to switch from IPv6 to IPv4.
To fix this, enable proxy-after-tcp-handshake so that the SYN is forwarded to the server before completing the client-side handshake. This ensures the client receives proper failure signaling, allowing Happy Eyeballs fallback to function correctly, even with UTM enabled in Proxy Mode.
For HTTPS (Port 443 – SSL/SSH Profile):
config firewall ssl-ssh-profile
For HTTP (Port 80 – Protocol Options Profile):
config firewall profile-protocol-options |