Traffic arrives at Virtual Server but seems to just blackhole

TheGorf · ‎11-15-2025

for some reason my original attempt to post this resulted in it being marked as Spam and I haven't heard from the moderators. So here it is again -

Hi all, I'm configuring my 70G on 7.2.12. I'm trying to setup a Virtual Server with load balancing and offloading a certificate via Lets Encrypt.

via "diagnose sniffer packet any "host [client ip redacted]" I can see the traffic arriving on the wan1 interface. But without any response. I setup debug flow like so:

diagnose debug console timestamp enable

diagnose debug flow show iprope enable

diagnose debug flow show function-name enable

diagnose debug flow trace start 100

diagnose debug flow filter addr [client ip redacted]

But requests to the virtual server don't generate any debug flow output.

the Virtual Server:

FortiGate-70G # diagnose firewall vip realserver list
alloc=2
------------------------------
vf=0 name=[the website name].com/1 class=4 type=1 [endpoint IP redacted]:(443-443), protocol=6
total=1 alive=1 power=1 ptr=332816741
ip=192.168.9.11-192.168.9.11/2283 adm_status=0 holddown_interval=300 max_connections=0 weight=1 option=01
alive=1 total=1 enable=00000001 alive=00000001 power=1
src_sz=0
id=0 status=up ks=0 us=0 events=1 bytes=0 rtt=0

and my policy for the traffic itself looks like this:

set name "PA virt site"
set uuid 5992dcde-c203-51f0-bbbd-405d525a5d96
set srcintf "WAN"
set dstintf "DMZ"
set action accept
set srcaddr "all"
set dstaddr "pasvr_web1"
set schedule "always"
set service "pa_tcp_2283" "HTTPS"
set inspection-mode proxy
set logtraffic all

and the configuration of the virtual server:

edit "[the website name].com"
set uuid c42ed598-c1fe-51f0-25d1-580eebe86d03
set type server-load-balance
set extip [endpoint IP redacted]
set extintf "wan1"
set server-type https
set http-ip-header enable
set monitor "Ping Monitor"
set ldb-method round-robin
set persistence http-cookie
set extport 443
config realservers
edit 1
set ip 192.168.9.11
set port 2283
next
end
set ssl-mode full
set ssl-certificate "[the website name].com"
next

I don't really know what to look into next. Can anyone offer any guidance?

edit

I managed to get a debug flow to work:

Packet Trace #103,2025/11/15 12:10:12,"vd-root:0 received a packet(proto=6, 172.56.109.212:17994->[endpoint IP redacted]:443) tun_id=0.0.0.0 from wan1. flag [S], seq 844257299, ack 0, win 65535"
Packet Trace #103,2025/11/15 12:10:12,allocate a new session-00b3394f
Packet Trace #103,2025/11/15 12:10:12,"in-[wan1], out-[]"
Packet Trace #103,2025/11/15 12:10:12,len=0
Packet Trace #103,2025/11/15 12:10:12,"result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
Packet Trace #103,2025/11/15 12:10:12,find a route: flag=80000000 gw-0.0.0.0 via root
Packet Trace #103,2025/11/15 12:10:12,"in-[wan1], out-[], skb_flags-02000000, vid-0"
Packet Trace #103,2025/11/15 12:10:12,"gnum-100017, check-00000000bd3ebc5b"
Packet Trace #103,2025/11/15 12:10:12,"after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
Packet Trace #103,2025/11/15 12:10:12,"in-[wan1], out-[], skb_flags-02000000, vid-0"
Packet Trace #103,2025/11/15 12:10:12,"gnum-100011, check-0000000017e2705a"
Packet Trace #103,2025/11/15 12:10:12,"after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
Packet Trace #103,2025/11/15 12:10:12,"gnum-100001, check-00000000bd3ebc5b"
Packet Trace #103,2025/11/15 12:10:12,"after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
Packet Trace #103,2025/11/15 12:10:12,"gnum-10000e, check-00000000bd3ebc5b"
Packet Trace #103,2025/11/15 12:10:12,"checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
Packet Trace #103,2025/11/15 12:10:12,"checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
Packet Trace #103,2025/11/15 12:10:12,"checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
Packet Trace #103,2025/11/15 12:10:12,"checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
Packet Trace #103,2025/11/15 12:10:12,"checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
Packet Trace #103,2025/11/15 12:10:12,"checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
Packet Trace #103,2025/11/15 12:10:12,"checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
Packet Trace #103,2025/11/15 12:10:12,"checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
Packet Trace #103,2025/11/15 12:10:12,"checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
Packet Trace #103,2025/11/15 12:10:12,"checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
Packet Trace #103,2025/11/15 12:10:12,"checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
Packet Trace #103,2025/11/15 12:10:12,"checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
Packet Trace #103,2025/11/15 12:10:12,"checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
Packet Trace #103,2025/11/15 12:10:12,"checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
Packet Trace #103,2025/11/15 12:10:12,"checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
Packet Trace #103,2025/11/15 12:10:12,"checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
Packet Trace #103,2025/11/15 12:10:12,"checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
Packet Trace #103,2025/11/15 12:10:12,"checked gnum-10000e policy-4294967295, ret-matched, act-accept"
Packet Trace #103,2025/11/15 12:10:12,"policy-4294967295 is matched, act-drop"
Packet Trace #103,2025/11/15 12:10:12,"gnum-10000e check result: ret-matched, act-drop, flag-00000001, flag2-00000000"
Packet Trace #103,2025/11/15 12:10:12,"after check: ret-matched, act-drop, flag-00000001, flag2-00000000"
Packet Trace #103,2025/11/15 12:10:12,"gnum-10000f, check-00000000bd3ebc5b"
Packet Trace #103,2025/11/15 12:10:12,"checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
Packet Trace #103,2025/11/15 12:10:12,"checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
Packet Trace #103,2025/11/15 12:10:12,"checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
Packet Trace #103,2025/11/15 12:10:12,"checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
Packet Trace #103,2025/11/15 12:10:12,"checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
Packet Trace #103,2025/11/15 12:10:12,"checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
Packet Trace #103,2025/11/15 12:10:12,"checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
Packet Trace #103,2025/11/15 12:10:12,"checked gnum-10000f policy-4294967295, ret-matched, act-accept"
Packet Trace #103,2025/11/15 12:10:12,"policy-4294967295 is matched, act-drop"
Packet Trace #103,2025/11/15 12:10:12,"gnum-10000f check result: ret-matched, act-drop, flag-00000801, flag2-00000000"
Packet Trace #103,2025/11/15 12:10:12,"after check: ret-matched, act-drop, flag-00000801, flag2-00000000"
Packet Trace #103,2025/11/15 12:10:12,"iprope_in_check() check failed on policy 0, drop"

Jean-Philippe_P · ‎11-18-2025

Hello TheGorf,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Regards,
Jean-Philippe - Fortinet Community Team

HarryTran · ‎11-18-2025

Hi @TheGorf
Do you know what policy-4294967295 is ? Is it local in policy or firewall policy?
It looks that traffic never hits your firewall policy, somehow, the traffic looks destined to the firewall itself. So, make sure port 443 on that WAN IP is not used by the FortiGate itself (web admin, SSL VPN, etc.). If it is, move those to another port.
Hope it's helpful for you.

Traffic arrives at Virtual Server but seems to just blackhole

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website