Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

TLS 1.3 full offloading not working


I have vms in a vlan and I am trying to support tls 1.3 load balancer with full offloading, but I can't get it to work (curl stuck then server no response).


Things I tested with same config:

- Virtual IP with tls 1.3 works.

- half offloading with tls1.3 works.

- if I change  the config below to support tls 1.2 it works.


On the server side I have nginx with basic tls1.3 config (ssl_protocols       TLSv1.3; + certificates setup)


In fortigate I've the certificates setup, and here's the load balancer config:


edit "MY_TLS_LOADBALANCER" set type server-load-balance set extip ------.12 set extintf "port1" set arp-reply enable set server-type https set nat-source-vip disable set gratuitous-arp-interval 0 set http-ip-header enable set http-ip-header-name '' set ssl-client-rekey-count 0 set ssl-hpkp disable set ssl-hsts disable set ldb-method static set persistence none set extport 443 config realservers edit 1 set ip set port 443 set status active set holddown-interval 300 set healthcheck vip set max-connections 0 unset client-ip next end set http-multiplex disable set ssl-mode full set ssl-certificate "my_cert" set ssl-dh-bits 2048 set ssl-algorithm medium set ssl-server-algorithm medium set ssl-pfs require set ssl-min-version tls-1.3 set ssl-max-version tls-1.3 set ssl-server-min-version client set ssl-server-max-version client set ssl-send-empty-frags enable set ssl-client-fallback enable set ssl-client-renegotiation secure set ssl-client-session-state-type both set ssl-client-session-state-timeout 30 set ssl-client-session-state-max 1000 set ssl-server-session-state-type both set ssl-server-session-state-timeout 60 set ssl-server-session-state-max 100 set max-embryonic-connections 1000 next

and firewall rule

set name "TEST_LOCAL_TLS1.3" set srcintf "WAN" set dstintf "MY_VLAN" set srcaddr "all" set dstaddr "LOCAL_HTTPS" set action accept set schedule "always" set service "HTTPS" set inspection-mode proxy set ssl-ssh-profile "protect_server" set logtraffic all set capture-packet enable set fsso disable set tcp-mss-sender 1452 set tcp-mss-receiver 1452 set nat enable set match-vip enable next


I am attaching packet capture of internet facing interface (.34 client it .12 server ip)

and a packet capture of the vlan ( vm ip, 192.168.254: fg ip)


Any idea what's wrong ?

Thanks and Regards

1 Solution
New Contributor II

Issue resolved after upgrading from 6.2.3 to 6.2.9

View solution in original post

New Contributor II

Issue resolved after upgrading from 6.2.3 to 6.2.9

Valued Contributor

thanks for sharing

Top Kudoed Authors