Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppardeshi
Staff
Staff

Created on ‎02-16-2023 11:36 AM Edited on ‎11-27-2024 01:26 PM By Staff

Article Id 246189

Troubleshooting Tip: Virtual server stops working after upgrading to FortiOS firmware 7.2.4 build 1396

Description This article describes an issue where a virtual server stops working after upgrading to FortiOS v7.2.4 build 1396 and offers a workaround.
Scope

FortiGate v7.2.4 and later.
Solution

Virtual server configuration fails to work when multiple HTTP/2 streams are opened from the client side if the real server-side uses the HTTP/1.1 stream. The client-side closes all the HTTP/2 streams before all HTTP/1.1 streams can be completed. 

 

Use web browser developer tools to check if the client side is using HTTP/2. If so, information similar to the following snapshot will be visible:

 

ppardeshi_0-1676571159878.png

 

Support for HTTP2 was added in FortiOS 7.2.4 as NFR 818343. See the release notes for more information.

 

Workaround

 

Set the value of 'http-supported-max-version' inside 'config firewall vip' of the affected virtual server to 'http1'.

 

CLI reference guide: https://docs.fortinet.com/document/fortigate/7.2.4/cli-reference/306620/config-firewall-vip.

     

In FortiOS 7.2.4 - 7.2.6, and 7.4.0:

 

config firewall vip 

    edit <virtual_server_name>

        set http-supported-max-version [http1|http2]<----- Set it to http1.

    next

end

 

To disable HTTP2 support in 7.4.1 and later:

 

config firewall vip

edit <virtual_server_name>

set h2-support disable

next

end

 

After making the changes, the client side will show HTTP/1.1 and not HTTP/2. The connection will succeed and the virtual server will work as expected. A working snippet from the developer tools will show information similar to the following:

 

ppardeshi_1-1676571480526.png

 

Additional information and explanation:

 

Versions before v7.2.4 (such as v7.2.3) did not support HTTP2. HTTP2 support was introduced in v7.2.4. Refer to FortiOS Release Notes v7.2.4 new features. There was a small issue that was fixed in bug 884578 with version FOS v7.2.5.

 

This feature may introduce issues if the end server does not support HTTP2. The client now will be able to attempt to negotiate with HTTP2 and as the FortiGate now supports it, it will allow but then issues may arise because the end server lacks HTTP2 support.

 

If HTTP multiplex is disabled and the real server in VIP does not support http2, some technical issues will occur with supporting http2 in the client-to-VIP side connection.

To support http2 in a virtual server when the real server does not support http2, FortiGate (wad) will attempt to make multiple HTTP connections to the server. Since HTTP-multiplex is not enabled, the same address and port will be used as the original client. Then, in the second connect attempt, the connection fails due to the address already being in use.

 

The workaround is to enable 'http-multiplex' or set max-version http1 (as shown in this article).

  • Note that if http-multiplex is enabled, the FortiGate device will use its interface address to connect to the real server, which will result in the server not being able to know the original client IP address and port.
  • Usually, this will not create issues, but the experience may vary from application to application.
10692
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.