Troubleshooting Tip: High concurrent connections on policy compared to backend nodes on FortiWeb

High concurrent connections at the policy level may occur when FortiWeb keeps client-side sessions open while waiting for backend server responses. This behavior is commonly observed when backend servers are slow or intermittently unresponsive.

Even when client-timeout and tcp-recv-timeout are configured, sessions may remain active if backend connection attempts are still in progress. To mitigate this condition, configure the following parameters:

• Configure tcp-conn-timeout at the server policy level: This setting defines how long FortiWeb waits for a backend server response before returning a 503 error. Recommended value is less than 20 seconds. High values may cause prolonged client session retention, increasing concurrent connection counts.

Example:

config server-policy policy     edit <policy_name>         set tcp-conn-timeout 20     next end

• Configure tcp-usertimeout at the system level: This setting defines how long idle TCP connections are maintained globally. When configured at both system and policy levels, the lower value is applied.

Example:

config system network-option     set tcp-usertimeout 20 end

After applying these configurations, the number of concurrent connections at the policy level may align more closely with backend node connections.

Related documents:
system network-option
server-policy policy