Description | This article describes the troubleshooting issue when having a virtual server configured on FortiGate it is pointing to real servers monitored and wanted to respond appropriately if any of the real servers stopped responding to health check monitoring. |
Scope | FortiOS. |
Solution |
Topology:
If the monitoring of the real server/s stopped working or the application on the real server suddenly became unreachable, one of the first things to check should be the health check monitoring, to see if the server is ALIVE or DEAD, as FortiGate's VIP does not forward traffic to dead servers.
Below could be the likely cause:
show firewall vip <vip_obj_name> <- To check name in config. diagnose firewall vip realserver list < To check name stored in the kernel.
In this example, the VIP object name in the configuration is 'Long-VIP-object-naming-in-troubleshooting-real-server-health-monitoring.net'.
But the one stored in the kernel is 'Long-VIP-object-naming-in-troubleshooting-real-server-health-m'.
If this happens, the real server health check monitoring will stop working and the stats will show zeros on all parameters (failed or successful) as seen below.
Also, make sure to check the ldb-monitor configuration, and ensure the src-ip, if set, is an IP address reachable from the real servers. If not set, verify what the source IP for the health check monitoring packets is. It is possible to find this information in the ipldbd debug. If the source IP for the health check monitoring is wrong or it is not what is desired, change it under 'config firewall ldb-monitor'.
Example of ipldbd debug with successful health check monitor with the right src-ip (10.10.10.1).
Example of stats with working health check monitor.
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.