Hello Community,
I have the following (simple) setup:
* Multiple Servers om Subnet 10.100.2.0/24 should be reachable via portal.mydomain.com on different Ports
* SSL-Certificate provided via Let's Encrypt
* One Fortigate 61F as Gateway and Reverse Proxy
* Domain and Static IP to the World is working fine.
I have set it up as follows:
* Created Virtual Servers for Each host
** Type: HTTPS
** Interface: any
** Virtual Server IP: (external IP Adress accociated with my domain)
** Virtual Server Port: (external Port)
** Load-Balancing mode: Static
** Persistance: None
** HTTP multiplexing and Perserve Client IP is not set
** SSL Offloading Mode Client/Fortigate with the Let's Encrypt Certificated valid for my domain
** Real Servers - added 1 real server with internal IP and Port. no Max Connection, Mode "Active"
* Created a rule
** Incoming Interface: WAN1
** Outgoing Interface: Internal Port to subnet 10.100.2.0/24
** Source: all
** Destination: Virtual Server configured before
** Schedule: always
** Service: ALL
** Action: ACCEPT
** Inspection Mode: Proxy-Based
** NAT: Disabled
** SSL-Inspection: no-inspection
** Enabled: yes
Problem: Since the last Firmware Update I cannot reach the servers anymore - it is extremly slow loading the webpages.
Does anyone have an idea where the problem could be?
BR,
Georg
Solved! Go to Solution.
Hi,
Thanks for confirming that it's working.
RCA has been publicly published:
Regards,
Parassingh
... does someone use that feature or am I alone? I know, that the Forti does not have a "real" Reverse Proxy buid in but even if there are limitation I would expect that feature to work again.
Did I miss some information for help? Any details of the configuration?
At first glance it looks like it should work fine. Have you seen any indicators like CPU usage being high or anything?
Also you say you cannot reach the servers anymore but you also say loading web pages is slow. Which one is it?
Can you try testing without the SSL offload? Just set up a basic VIP pointing to the real server and see if it performs OK?
Hi gfleming,
thanks for the reply:
1. CPU seems to be OK - no problems there.
2. Sorry for being such inprecise. I tried different solutions and sometimes I got stuck and the servers were not reachable so I mixed up something.
Servers are reachable but REALLY slow. One device is a QNAP NAS and I see the forwarding-url of the webserver and the page is loading really slow. NextCloud is just showing up the background-image.
3. Without SSL Offload it seems to work even the browser shows an error. So it could be that the Lets's Encrypt Certificate causes that error.
Cheers,
Georg
I did not see anything that changed related to certificates or did I miss something? I am wondering why this occurs right now after the upgrade and I did not change the configuration. Any Ideas how to fix that?
I wonder if there's some packet fragmentation issues possibly? What does a packet capture look like?
Hi,
Please try to disable http2 as a workaround and test if it works.
It's configured under #config firewall vip.
A snippet from my lab for example:
config firewall vip edit "Virtual Server" set uuid 59acd588-ac9b-51ed-8251-b880c505cedd set type server-load-balance set extip 192.168.20.1 set extintf "any" set server-type https set extport 443 config realservers edit 2 set ip 192.168.1.129 set port 80 next end set http-supported-max-version http1 <-----changed to http1 set ssl-certificate "Fortinet_Factory" next end |
Please let us know if it works.
Regards,
Parassingh
Hi,
partially. On one Server this helped, but on the two others that are configured the same way it did not.
@gflemingsorry for the late reply. I looked on the server side with tcpdump, listening to the port (http) and there is not really much coming to the server. I think the Forti is blocking something. If I access the Server directly (internal network, same port) it works well.
cheers
COORECTION: @ppardeshi , solution workes:
- Cleared the Browser-Cache
- For the last server, I had a configuration issue (while playing around, it came up)
Hi,
Thanks for confirming that it's working.
RCA has been publicly published:
Regards,
Parassingh
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.