Help
FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
ssriswadpong
Staff & Editor
Staff & Editor

Created on ‎10-04-2024 12:47 AM Edited on ‎07-29-2025 08:59 AM By Community Manager

Article Id 347017

Technical Tip: FortiProxy AAAA DNS requests trigger HTTP 504 gateway timeouts

Description This article describes why FortiProxy sends AAAA DNS queries. In some environments, IPv6 is not in use, so the DNS query for the AAAA record is an unexpected result and causes an HTTP error code 504.
Scope FortiProxy.
Solution

FortiProxy will send AAAA DNS queries to the DNS server when IPv6 or ISDB IPv6 is configured in policies.

 

config firewall policy

   edit <policy ID>
        set dstaddr6 <address name> 

             or      

        set internet-service6-name <ISDB name> 

   next

end

 

Screenshot 2024-10-04 130347.png

 

If the IPv6 address is in a policy, FortiProxy may send both A and AAAA DNS queries to the DNS server. In some cases, if the AAAA record query response arrives before the A record and the response is Server failure, AAAA or unresolvable, FortiProxy will return the error HTTP 504 to the user.

 

The WAD debug logs confirm that IPV6 DNS queries are being sent.
The IPV6 queries will be sent if there is a dstaddr6 entry on any of the proxy policies.

 

i.e from WAD debugs:

 

CONNECT www.golem.de:443 HTTP/1.1

Host: www.golem.de:443

Proxy-Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36 Edg/137.0.0.0

[I][p:1929][s:84133835][r:88811933] wad_http_str_canonicalize :2200 enc=0 path=/ len=1 changes=0
[I][p:1929][s:84133835][r:88811933] wad_http_conn_req_classify :6403 no security profile HTTPS/HTTP, tport=443
[V][p:1929][s:84133835][r:88811933] wad_http_req_check_dns :81 hn=0x7f20aa930310 sn=(nil)
[I][p:1929][s:84133835][r:88811933] wad_http_dns_resolve :8893 [0x7f20a8bbc898] DNS request name=www.golem.de len=12 type/pref/pref-strict=2/0/0
[I][p:1929][s:84133835][r:88811933] __wad_dns_send_query :847 0:0: sending DNS request for remote peer www.golem.de id=1 IPv4
[I][p:1929][s:84133835][r:88811933] wad_dns_req_msg_send_local_req :245 send unreq to dnsproxy.
msg_len=30, type=wad_local_client_req, vfid=0, vrf=0, ifindex=9, policy_id=0 src_addr=10.19.4.113[I][p:1929][s:84133835][r:88811933] __wad_dns_send_query :847 0:0: sending DNS request for remote peer www.golem.de id=1 IPv6 >>>>>>
[I][p:1929][s:84133835][r:88811933] wad_dns_req_msg_send_local_req :245 send unreq to dnsproxy.
msg_len=30, type=wad_local_client_req, vfid=0, vrf=0, ifindex=9, policy_id=0 src_addr=10.19.4.113[V][p:1929][s:84133835][r:88811933] wad_tcp_port_out_read_block :1437 tcp_port 0x7f20aa537720 fd=140 on=1 n_out_block=0 in(/out)_shutdown=0/0 closed=0 state=2.
[V][p:1929][s:84133835][r:88811933] wad_tcp_port_out_read_block :1457 tcp_port=0x7f20aa537720 transport on=1

 

In this case, the IPv6 address must be removed from the policies
Labels:
598
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.