- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
GCP LB Health Check Probe
Hi Team,
We have configured Forti-VM between two load balancers (external & internal).
Can anyone tell me how to configure health check from Internal LB to Forti-VM.
In GCP console, Internal LB is showing unhealthy. we have configured TCP port 8008 on LB health check which is default probe-response port in fortigate.
I have already gone through the admin guide, so please don't share the same.
- Labels:
-
FortiGateCloud
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Under network >> interface probe response should be enabled:
If thats already done, please share me the debug log:
diag debug flow filter clear
diag debug flow filter port 8008
diag debug flow show function-name enable
diag debug flow trace start 100000
diag debug enable
Once you get the debug, you can disable debug using this command "diag debug disable"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Ganesh for the reply....
We are not getting any hit on firewall on port 8008.
On Fortigate we done below config
FGTGCP7EEYBM0Q3A # show system interface port2
config system interface
edit "port2"
set vdom "root"
set ip 192.168.101.17 255.255.255.255
set allowaccess probe-response
set type physical
set alias "Trust"
set snmp-index 2
set secondary-IP enable
set mtu-override enable
set mtu 1460
config secondaryip
edit 1
set ip 192.168.101.18 255.255.255.255
set allowaccess probe-response
next
end
next
end
FGTGCP7EEYBM0Q3A # show system probe-response
config system probe-response
set http-probe-value "200"
set mode http-probe
end
FGTGCP7EEYBM0Q3A # get system probe-response
port : 8008
http-probe-value : 200
mode : http-probe
FGTGCP7EEYBM0Q3A # diag debug flow filter clear
FGTGCP7EEYBM0Q3A # diag debug flow filter port 8008
FGTGCP7EEYBM0Q3A # diag debug flow show function-name enable
show function name
FGTGCP7EEYBM0Q3A # diag debug flow trace start 100000
FGTGCP7EEYBM0Q3A # diag debug enable
FGTGCP7EEYBM0Q3A #
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ganesh,
Post rebooting Forti-VM Internal LB health check started working.
============================================================================
FGTGCP7EEYBM0Q3A # id=65308 trace_id=4268 func=print_pkt_detail line=5842 msg="vd-root:0 received a packet(proto=6, 35.191.1.131:59438->192.168.101.18:8008) tun_id=0.0.0.0 from port2. flag [S], seq 4268738427, ack 0, win 65535"
id=65308 trace_id=4268 func=init_ip_session_common line=6028 msg="allocate a new session-00001973, tun_id=0.0.0.0"
id=65308 trace_id=4268 func=__vf_ip_route_input_rcu line=2012 msg="find a route: flag=80000000 gw-0.0.0.0 via root"
id=65308 trace_id=4268 func=ip_session_confirm_final line=3087 msg="npu_state=0x0, hook=1"
id=65308 trace_id=4269 func=print_pkt_detail line=5842 msg="vd-root:0 received a packet(proto=6, 192.168.101.18:8008->35.191.1.131:59438) tun_id=0.0.0.0 from local. flag [S.], seq 1842156342, ack 4268738428, win 28160"
id=65308 trace_id=4269 func=resolve_ip_tuple_fast line=5930 msg="Find an existing session, id-00001973, reply direction"
id=65308 trace_id=4270 func=print_pkt_detail line=5842 msg="vd-root:0 received a packet(proto=6, 35.191.1.131:59438->192.168.101.18:8008) tun_id=0.0.0.0 from port2. flag [.], seq 4268738428, ack 1842156343, win 256"
id=65308 trace_id=4270 func=resolve_ip_tuple_fast line=5930 msg="Find an existing session, id-00001973, original direction"
id=65308 trace_id=4271 func=print_pkt_detail line=5842 msg="vd-root:0 received a packet(proto=6, 35.191.1.131:59438->192.168.101.18:8008) tun_id=0.0.0.0 from port2. flag [F.], seq 4268738428, ack 1842156343, win 256"
id=65308 trace_id=4271 func=resolve_ip_tuple_fast line=5930 msg="Find an existing session, id-00001973, original direction"
id=65308 trace_id=4272 func=print_pkt_detail line=5842 msg="vd-root:0 received a packet(proto=6, 192.168.101.18:8008->35.191.1.131:59438) tun_id=0.0.0.0 from local. flag [F.], seq 1842156343, ack 4268738429, win 110"
id=65308 trace_id=4272 func=resolve_ip_tuple_fast line=5930 msg="Find an existing session, id-00001973, reply direction"
id=65308 trace_id=4273 func=print_pkt_detail line=5842 msg="vd-root:0 received a packet(proto=6, 35.191.1.131:59438->192.168.101.18:8008) tun_id=0.0.0.0 from port2. flag [.], seq 4268738429, ack 1842156344, win 256"
id=65308 trace_id=4273 func=resolve_ip_tuple_fast line=5930 msg="Find an existing session, id-00001973, original direction"
id=65308 trace_id=4274 func=print_pkt_detail line=5842 msg="vd-root:0 received a packet(proto=6, 35.191.1.133:41826->192.168.101.18:8008) tun_id=0.0.0.0 from port2. flag [S], seq 1654739865, ack 0, win 65535"
============================================================================
One more question, how we can configure pass through probe ?
