Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

No Internet Access for Real Servers when using Load Balancing on Local LAN

Good afternoon,

I have a slightly puzzling issue. I have setup a virtual server to act as a load balancer to two real servers on our local LAN (http & https traffic). This has been setup and working fine in active standby mode. I have been able to swap over the active and standby servers without any issue and can access the webpage via the load balanced IP.

The issue I now have is that neither of the real servers can access the internet.

I have followed the tip in the link below to try to resolve the issue but it hasn't worked

Technical Tip: VIP IP (virtual server type) on the... - Fortinet Community

I have tried turning NAT on and off for the various policies that the servers are using (according to the logs), but I still can't get these servers to access the internet.

This is the policy I have enabled to get the load balancer working:

LB Policy.png

If I disable the above policy, the real servers can then access the internet again but the load balanced IP is then unresponsive.

Has anyone had a similar issue or know how I can resolve this issue?

Model: Fortigate 100F

Firmware: v7.0.12 build0523


New Contributor

Yes there's something about LB that I don't understand. That's why these questions pop up in my head. So, if LBs act in pair, what's the thing that decides which of the LBs for the network traffic to go to? And why can't that "thing" (if it even is a physical thing) just directly choose between the servers instead, and skip the LB step  ?

New Contributor

Would be a lot easier right...

Think it's definitely something to do with NAT and fortigate virtual servers.

I have a constant ping going to In the logs it looks like it can send but not receive any packets:

LB Log1.pngLB Log2.pngLB Log3.png

Real servers: x.x.x.155 & x.x.x.156

Load Balancer: x.x.x.157

NAT IP is the load balancer so must have something to do with that?


Hi @NG2,


What do you mean NAT IP is the load balancer? Is x.x.x.157 the IP address of wan2? Please run the following command and try to ping again:


get router info routing-table all 

di sniffer packet any 'host and icmp' 4 0 l



New Contributor

Hi @hbac 

x.x.x.157 is the load balancer (virtual server) IP. IP of our WAN is 62.x.x.32 (sorry for the x's but don't want to share all our local and public IPs).


Can I send you a private message with the output of those commands?





Please provide a network diagram so I can better understand the topology. 





By default when there is a VIP/Virtual Server configuration the internal or mapped IP, in this case the IP of the real servers will be source NAT-ted with the ext IP in the VIP/Virtual Server configuration. 
One way to circumvent this is  to have NAT via IPPOOL performed on the original "Internet Acess" policy LAN-> WAN.

Top Kudoed Authors