Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jangelis
Staff
Staff

Created on ‎12-19-2025 07:44 AM

Article Id 423952

Technical Tip: Server Load-Balancing issue when using healthcheck with realservers using the same IP address

Description This article describes a possible issue when healthcheck is configured for a Virtual server load-balancing type, where real servers are on the same IP address.
Scope FortiOS.
Solution

When the Virtual server is configured with real servers that have the same IP, but are just differentiated by port, adding a health check for these servers might result in unexpected behavior.

 

Example configuration of the Virtual server:

 

config firewall vip
    edit "sample-ldb-vip"
        set type server-load-balance
        set server-type http
        set extip 198.51.100.1
        set extintf "any"
        set http-ip-header enable
        set ldb-method http-host
        set extport 80
            config realservers
                edit 1
                    set ip 10.10.10.10
                    set port 8081
                    set healthcheck enable
                    set http-host "site1.example.com"
                    set monitor "monitor1"
                next
                edit 2
                    set ip 10.10.10.10
                    set port 8082
                    set healthcheck enable
                    set http-host "site2.exmaple.com"
                    set monitor "monitor2"
                next
            end
    next
end

 

In case one of the real servers stops responding, and the healthcheck debug output shows correctly that only realserver 2 is down:

 

FGT# diagnose firewall vip realserver healthcheck stats show
...
Real server status: VIP=sample-ldb-vip
1: ip=10.10.10.10, port:8081, mode:Active, health check status:UP
2: ip=10.10.10.10, port:8082, mode:Active, health check status:DOWN

 

The status of both real servers will be the same, depending on the later update from the healthcheck, for example:

 

 

FGT# diagnose firewall vip realserver list
alloc=3
------------------------------
vf=0 name=sample-ldb-vip class=4 type=6 198.51.100.1:(80-80), protocol=6
total=2 alive=0 power=0 ptr=4294940411
ip=10.10.10.10-10.10.10.10/8081 adm_status=0 holddown_interval=300 max_connections=0 weight=1 option=01
   alive=0 total=1 enable=00000001 alive=00000000 power=0
   src_sz=0
   id=0 status=down ks=0 us=0 events=2848 bytes=0 rtt=0
ip=10.10.10.10-10.10.10.10/8082 adm_status=0 holddown_interval=300 max_connections=0 weight=1 option=01
   alive=0 total=1 enable=00000001 alive=00000000 power=0
   src_sz=0
   id=0 status=down ks=0 us=0 events=2848 bytes=0 rtt=0

 

The reason is that the Virtual IP tracks server status only by IP address. When multiple real servers share the same IP (even with different ports), they will share the same status. 

 

Solution 1:

Do not use health-check.

 

Solution 2: 

Use a unique IP address for each real server.

 

Related article:

Technical Tip: Configure a virtual server 
257
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.