Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
avinash_v
Staff
Staff

Created on ‎11-14-2024 08:26 AM Edited on ‎11-26-2024 09:31 AM By Staff

Article Id 357690

Troubleshooting Tip: FortiGate not responding to health probes on Azure

Description This article describes an issue with FortiGate VM on azure dropping health probes.
Scope FortiOS
Solution

When using the GitHub template to set up Active/Active ELB/ILB setup on Azure, DHCP is enabled for ports by default.

 

FortiGate-VM64-Azure # show system interface port2
config system interface
    edit "port2"
        set vdom "root"
        set mode dhcp
        set allowaccess ping https ssh fgfm probe-response
        set type physical
        set description "internal"
        set snmp-index 2
        set defaultgw disable
    next
end

 

FortiGate-VM64-Azure # show router static
config router static

    edit 1
        set dst 168.63.129.16 255.255.255.255
        set gateway 172.19.0.65
        set device "port2"
    next
    edit 2
        set dst 168.63.129.16 255.255.255.255
        set gateway 172.19.0.1
        set device "port1"
    next

 

FortiGate-VM64-Azure # diagnose ip route list | grep -A3 168.63.129.16
tab=254 vf=0 scope=0 type=1 proto=11 prio=1 0.0.0.0/0.0.0.0/0->168.63.129.16/32 pref=0.0.0.0 gwy=172.19.0.1 dev=4(port1)
tab=254 vf=0 scope=0 type=1 proto=11 prio=1 0.0.0.0/0.0.0.0/0->169.254.169.254/32 pref=0.0.0.0 gwy=172.19.0.1 dev=4(port1)
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->172.19.0.0/26 pref=172.19.0.4 gwy=0.0.0.0 dev=4(port1)
tab=254 vf=0 scope=0 type=1 proto=11 prio=1 0.0.0.0/0.0.0.0/0->172.19.0.0/23 pref=0.0.0.0 gwy=172.19.0.65 dev=5(port2)

 

In these cases, notice that the FortiGate is not responding to the health probes even when there is a static route.

 

FortiGate-VM64-Azure # diagnose sniffer packet port2 "host 168.63.129.16" 4 0 a
Using Original Sniffing Mode
interfaces=[port2]
filters=[host 168.63.129.16]
2024-11-01 09:39:40.236117 port2 -- 168.63.129.16.61373 -> 172.19.0.68.8008: syn 4239371101
2024-11-01 09:39:41.246364 port2 -- 168.63.129.16.61373 -> 172.19.0.68.8008: syn 4239371101
2024-11-01 09:39:43.257679 port2 -- 168.63.129.16.61373 -> 172.19.0.68.8008: syn 4239371101
2024-11-01 09:39:46.237408 port2 -- 168.63.129.16.61428 -> 172.19.0.68.8008: syn 3995541011

 

Due to the use of DHCP, DHCP routes will have only one route to 168.63.129.16 via port1 and the static route setting for port2 will not work.

To fix this, either change to static IPs or disable using the route from DHCP, by using the command  'set dhcp-classless-route-addition disable' in the interface configuration.

 

FortiGate-VM64-Azure # show system interface port2
    config system interface
        edit "port2"
            set vdom "root"
            set mode dhcp
            set allowaccess ping https ssh fgfm probe-response

            set dhcp-classless-route-addition disable
            set type physical
            set description "internal"
            set snmp-index 2
            set defaultgw disable
        next
    end

    edit "port1"
        set vdom "root"
        set mode dhcp
        set allowaccess ping https ssh fgfm probe-response

        set dhcp-classless-route-addition disable
        set type physical
        set description "internal"
        set snmp-index 2
        set defaultgw disable
    next
end

 

After this change, with correct route setting, two entries for 168.63.129.16 can be seen as below:

 

# dia ip route list | grep -A2 168.63.129.16
tab=254 vf=0 scope=0 type=1 proto=11 prio=1 0.0.0.0/0.0.0.0/0->168.63.129.16/32 pref=0.0.0.0
gwy=172.19.0.1 flag=04 hops=0 oif=3(port1)
gwy=172.19.0.65 flag=04 hops=0 oif=4(port2)

 

After, the health probes receive a response from the FortiGate.

 

FortiGate-VM64-Azure # diagnose sniffer packet port2 "host 168.63.129.16" 4 0 a
Using Original Sniffing Mode
interfaces=[port2]
filters=[host 168.63.129.16]
2024-11-01 09:49:04.986392 port2 -- 168.63.129.16.51456 -> 172.19.0.68.8008: fin 2994783328 ack 3127199742
2024-11-01 09:49:04.986478 port2 -- 172.19.0.68.8008 -> 168.63.129.16.51456: fin 3127199742 ack 2994783329
2024-11-01 09:49:04.986645 port2 -- 168.63.129.16.51456 -> 172.19.0.68.8008: ack 3127199743
2024-11-01 09:49:04.987166 port2 -- 168.63.129.16.51520 -> 172.19.0.68.8008: syn 4095519881
2024-11-01 09:49:04.987219 port2 -- 172.19.0.68.8008 -> 168.63.129.16.51520: syn 2018312667 ack 4095519882
2024-11-01 09:49:04.987483 port2 -- 168.63.129.16.51520 -> 172.19.0.68.8008: ack 2018312668

 

If there is no response as per the sniffer above, the local in policy needs to be verified as per the KB article below:

FortiGate-VM-probe-on-Azure-or-AWS-load-balancer 
395
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.