This article describes an example where a real server health checks HTTPS not working, but HTTP or TCP is working. The solution may vary depending on the setup but the concept of configuration and troubleshooting should be the same.

It is necessary to troubleshoot the connectivity for the server first:

• Try to telnet the server port from the FortiGate.

• Follow the troubleshooting tip from the KB article: Troubleshooting Tip: Initial troubleshooting commands for Virtual Servers.
• Use another machine in the same network as the server to do exactly the same request as FortiGate would do and see the outcome.

Case Example:

• A machine in the same network as the server can open the webpage, but keep in mind the full URL.
• The server could be configured to only provide a page with the correct path. E.g.: put the IP address of the server 'https://192.168.1.6' in the web browser but it does not open or gets a 'not found' page or any other HTTP error.
• Although if trying 'https://192.168.1.6/test' it will open correctly.
• In this particular case an adjustment needs to be made in the monitor.

Case Example configuration fix:

It is possible to use the GUI to help configure but for HTTPs, it is necessary to apply additional settings in CLI.

• HTTP Monitor GUI:

• HTTPs Monitor GUI:

• It is possible to use the 'Edit in CLI' option to compare both:

• Copy the config to a notepad.

• Do the same 'Edit in CLI' but now for the HTTPs check and adapt the change:

GUI is designed to be simple and may not have all options available there, check CLI-reference for all options: config firewall ldb-monitor.

Additional troubleshooting commands for real server health checks:

diagnose debug enable
diagnose firewall vip virtual-server stats list
diagnose firewall vip virtual-server real-server list
diagnose firewall vip realserver list

diagnose firewall vip realserver healthcheck stats show

Related article:
Technical Tip: HTTP health check in virtual servers