Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tschortsch
New Contributor II

Reverse Proxy Not working since FortiOS v7.2.4

Hello Community,

 

I have the following (simple) setup:

* Multiple Servers om Subnet 10.100.2.0/24 should be reachable via portal.mydomain.com on different Ports

* SSL-Certificate provided via Let's Encrypt

* One Fortigate 61F as Gateway and Reverse Proxy

* Domain and Static IP to the World is working fine.

 

I have set it up as follows:

* Created Virtual Servers for Each host

** Type: HTTPS

** Interface: any

** Virtual Server IP: (external IP Adress accociated with my domain)

** Virtual Server Port: (external Port)

** Load-Balancing mode: Static

** Persistance: None

** HTTP multiplexing and Perserve Client IP is not set

** SSL Offloading Mode Client/Fortigate with the Let's Encrypt Certificated valid for my domain

** Real Servers - added 1 real server with internal IP and Port. no Max Connection, Mode "Active"

 

* Created a rule

** Incoming Interface: WAN1

** Outgoing Interface: Internal Port to subnet 10.100.2.0/24

** Source: all

** Destination: Virtual Server configured before

** Schedule: always

** Service: ALL

** Action: ACCEPT

** Inspection Mode: Proxy-Based

** NAT: Disabled

** SSL-Inspection: no-inspection

** Enabled: yes

 

Problem: Since the last Firmware Update I cannot reach the servers anymore - it is extremly slow loading the webpages.

Does anyone have an idea where the problem could be?

 

BR,

Georg

 

 

 

 

 

1 Solution
ppardeshi
Staff
Staff

Hi,

 

Thanks for confirming that it's working.

 

RCA has been publicly published: 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Virtual-server-stops-working-after-u...

 

Regards,

Parassingh

 

View solution in original post

9 REPLIES 9
Tschortsch
New Contributor II

... does someone use that feature or am I alone? I know, that the Forti does not have a "real" Reverse Proxy buid in but even if there are limitation I would expect that feature to work again.

Did I miss some information for help? Any details of the configuration?

gfleming
Staff
Staff

At first glance it looks like it should work fine. Have you seen any indicators like CPU usage being high or anything?

 

Also you say you cannot reach the servers anymore but you also say loading web pages is slow. Which one is it?

 

Can you try testing without the SSL offload? Just set up a basic VIP pointing to the real server and see if it performs OK?

Cheers,
Graham
Tschortsch
New Contributor II

Hi gfleming,

 

thanks for the reply:

1. CPU seems to be OK - no problems there.

2. Sorry for being such inprecise. I tried different solutions and sometimes I got stuck and the servers were not reachable so I mixed up something.

Servers are reachable but REALLY slow. One device is a QNAP NAS and I see the forwarding-url of the webserver and the page is loading really slow. NextCloud is just showing up the background-image.

3. Without SSL Offload it seems to work even the browser shows an error. So it could be that the Lets's Encrypt Certificate causes that error.

 

Cheers,

Georg

 

Tschortsch
New Contributor II

I did not see anything that changed related to certificates or did I miss something? I am wondering why this occurs right now after the upgrade and I did not change the configuration. Any Ideas how to fix that?

gfleming

I wonder if there's some packet fragmentation issues possibly? What does a packet capture look like?

Cheers,
Graham
ppardeshi
Staff
Staff

Hi,

 

Please try to disable http2 as a workaround and test if it works.

It's configured under #config firewall vip. 

 

A snippet from my lab for example:

 

config firewall vip
    edit "Virtual Server"
        set uuid 59acd588-ac9b-51ed-8251-b880c505cedd
        set type server-load-balance
        set extip 192.168.20.1
        set extintf "any"
        set server-type https
        set extport 443
        config realservers
            edit 2
                set ip 192.168.1.129
                set port 80
            next
        end
        set http-supported-max-version http1 <-----changed to http1
        set ssl-certificate "Fortinet_Factory"
    next
end

 

Please let us know if it works.

 

Regards,

Parassingh 

 

Tschortsch
New Contributor II

Hi,

 

partially. On one Server this helped, but on the two others that are configured the same way it did not.

@gflemingsorry for the late reply. I looked on the server side with tcpdump, listening to the port (http) and there is not really much coming to the server. I think the Forti is blocking something. If I access the Server directly (internal network, same port) it works well.

 

cheers

Tschortsch
New Contributor II

COORECTION: @ppardeshi , solution workes:

- Cleared the Browser-Cache

- For the last server, I had a configuration issue (while playing around, it came up)

 

ppardeshi
Staff
Staff

Hi,

 

Thanks for confirming that it's working.

 

RCA has been publicly published: 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Virtual-server-stops-working-after-u...

 

Regards,

Parassingh

 

Labels
Top Kudoed Authors