Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dhafer
New Contributor II

TLS 1.3 full offloading not working

Hi,

I have vms in a vlan and I am trying to support tls 1.3 load balancer with full offloading, but I can't get it to work (curl stuck then server no response).

 

Things I tested with same config:

- Virtual IP with tls 1.3 works.

- half offloading with tls1.3 works.

- if I change  the config below to support tls 1.2 it works.

 

On the server side I have nginx with basic tls1.3 config (ssl_protocols       TLSv1.3; + certificates setup)

 

In fortigate I've the certificates setup, and here's the load balancer config:

 

edit "MY_TLS_LOADBALANCER" set type server-load-balance set extip ------.12 set extintf "port1" set arp-reply enable set server-type https set nat-source-vip disable set gratuitous-arp-interval 0 set http-ip-header enable set http-ip-header-name '' set ssl-client-rekey-count 0 set ssl-hpkp disable set ssl-hsts disable set ldb-method static set persistence none set extport 443 config realservers edit 1 set ip 192.168.20.1 set port 443 set status active set holddown-interval 300 set healthcheck vip set max-connections 0 unset client-ip next end set http-multiplex disable set ssl-mode full set ssl-certificate "my_cert" set ssl-dh-bits 2048 set ssl-algorithm medium set ssl-server-algorithm medium set ssl-pfs require set ssl-min-version tls-1.3 set ssl-max-version tls-1.3 set ssl-server-min-version client set ssl-server-max-version client set ssl-send-empty-frags enable set ssl-client-fallback enable set ssl-client-renegotiation secure set ssl-client-session-state-type both set ssl-client-session-state-timeout 30 set ssl-client-session-state-max 1000 set ssl-server-session-state-type both set ssl-server-session-state-timeout 60 set ssl-server-session-state-max 100 set max-embryonic-connections 1000 next

and firewall rule

set name "TEST_LOCAL_TLS1.3" set srcintf "WAN" set dstintf "MY_VLAN" set srcaddr "all" set dstaddr "LOCAL_HTTPS" set action accept set schedule "always" set service "HTTPS" set inspection-mode proxy set ssl-ssh-profile "protect_server" set logtraffic all set capture-packet enable set fsso disable set tcp-mss-sender 1452 set tcp-mss-receiver 1452 set nat enable set match-vip enable next

 

I am attaching packet capture of internet facing interface (.34 client it .12 server ip)

and a packet capture of the vlan (192.168.20.1: vm ip, 192.168.254: fg ip)

 

Any idea what's wrong ?

Thanks and Regards

1 Solution
dhafer
New Contributor II

Issue resolved after upgrading from 6.2.3 to 6.2.9

View solution in original post

2 REPLIES 2
dhafer
New Contributor II

Issue resolved after upgrading from 6.2.3 to 6.2.9

boneyard
Valued Contributor

thanks for sharing

Labels
Top Kudoed Authors