Description |
This article describes the possible reason for a virtual server health check with a content check not working.
Setup:
Troubleshooting Process:
diag deb app ipldpd -1 diag deb en
diag sniffer packet any 'host <server_under_monitor> and port <port_under_monitor>" 6 0 a
In this scenario, the packet is reaching the FortiGate correctly and the content is visible. However, the health check still failed:
|
Scope | FortiGate. |
Solution |
The root cause behind this is that the ldb_monitor feature in FortiGate would rely on the HTTP header 'Content-Length' to determine if there is any presence of the response body. In the above scenario, an HTTP response is observed, however, the response does not contain the 'Content-Length' header and hence, FortiGate does not proceed to check the response body and determine that there is no response body to be checked:
-------------------------HTTP Response---------------------------------
Following is an example of packet capture when the health check works with a content check is configured to check the presence of the word 'John':
From the packet capture, it has clearly been observed that the 'Content-Length' header is present and hence, ldb_monitor on the FortiGate would proceed to further inspect the response body:
-------------------------HTTP Response---------------------------------
The solution to this is to modify the HTTP response to configure the webserver to respond with 'Content-Length' so that FortiGate is aware of the response body and proceeds to check the content of the response body. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.