Hi,
I have vms in a vlan and I am trying to support tls 1.3 load balancer with full offloading, but I can't get it to work (curl stuck then server no response).
Things I tested with same config:
- Virtual IP with tls 1.3 works.
- half offloading with tls1.3 works.
- if I change the config below to support tls 1.2 it works.
On the server side I have nginx with basic tls1.3 config (ssl_protocols TLSv1.3; + certificates setup)
In fortigate I've the certificates setup, and here's the load balancer config:
edit "MY_TLS_LOADBALANCER" set type server-load-balance set extip ------.12 set extintf "port1" set arp-reply enable set server-type https set nat-source-vip disable set gratuitous-arp-interval 0 set http-ip-header enable set http-ip-header-name '' set ssl-client-rekey-count 0 set ssl-hpkp disable set ssl-hsts disable set ldb-method static set persistence none set extport 443 config realservers edit 1 set ip 192.168.20.1 set port 443 set status active set holddown-interval 300 set healthcheck vip set max-connections 0 unset client-ip next end set http-multiplex disable set ssl-mode full set ssl-certificate "my_cert" set ssl-dh-bits 2048 set ssl-algorithm medium set ssl-server-algorithm medium set ssl-pfs require set ssl-min-version tls-1.3 set ssl-max-version tls-1.3 set ssl-server-min-version client set ssl-server-max-version client set ssl-send-empty-frags enable set ssl-client-fallback enable set ssl-client-renegotiation secure set ssl-client-session-state-type both set ssl-client-session-state-timeout 30 set ssl-client-session-state-max 1000 set ssl-server-session-state-type both set ssl-server-session-state-timeout 60 set ssl-server-session-state-max 100 set max-embryonic-connections 1000 next
and firewall rule
set name "TEST_LOCAL_TLS1.3" set srcintf "WAN" set dstintf "MY_VLAN" set srcaddr "all" set dstaddr "LOCAL_HTTPS" set action accept set schedule "always" set service "HTTPS" set inspection-mode proxy set ssl-ssh-profile "protect_server" set logtraffic all set capture-packet enable set fsso disable set tcp-mss-sender 1452 set tcp-mss-receiver 1452 set nat enable set match-vip enable next
I am attaching packet capture of internet facing interface (.34 client it .12 server ip)
and a packet capture of the vlan (192.168.20.1: vm ip, 192.168.254: fg ip)
Any idea what's wrong ?
Thanks and Regards
Solved! Go to Solution.
Issue resolved after upgrading from 6.2.3 to 6.2.9
Issue resolved after upgrading from 6.2.3 to 6.2.9
thanks for sharing
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.