Hi everyone,
I'd appreciate some help over this problem.
We use 3 DNS servers : 1 FortiGate DNS Server, and 2 DCs DNS. We can only use 2 IPs on most of our equipment, and we want to have FortiGate IP + Virtual IP (Load balancing to both DCs).
This means to stay on our LAN (X.X.0.0/16) only, and the VIP would be on the same network as the real servers.
Here is a scheme to get a better idea:
So for now I followed more or less this technical tip I found : https://community.fortinet.com/t5/FortiGate/Technical-Tip-VIP-IP-virtual-server-type-on-the-same-int...
I do have a Virtual server, and a corresponding address. Here are my configurations :
VIP:
Address:
Policies:
The issue is, whether from vlan10 or vlan213, I can't access at all to my VIP. The thing is, I am getting timed out and I'm not receiving a destination unreachable error. Still, the Hit count of my vip or the traffic trough my policies stays at 0.
Any hints on what I could try to do, check or change ?
Thanks a lot.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Greed
Check if arp reply is enabled on the VIP, and enable it if it is disabled..
config firewall vip
edit "VIP Domain Controllers"
set arp-reply enable
next
end
Besides, the destination in your firewall rules should be the VIP/VS object, not the address object.
Hi AEK,
Thanks a lot for the answer. The ARP Reply was already enabled.
About the firewall policies, I can only put the address for the VLAN10 -> VLAN213 for example. That is why I created it to begin with, following the tip page I linked.
In facts, I can only add my VIP as a destination when the source interface is my VLAN213.
Can you disable health-check and try again?
And it actually worked!
The issue comes from the DNS Check. The other 3 are fine.
I might need some guidance on understanding why it wouldn't, knowing that DNS requests are working without the check activated.
I tried putting my VIP as the unique DNS on a test machine and it could resolve everything I need without any issue or delay. That's great, thanks !
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1030 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.