Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Greed
New Contributor II

Virtual IP (VIP) (VIRTUAL SERVER TYPE) for a same network as the Real Servers

Hi everyone,

 

I'd appreciate some help over this problem. 

We use 3 DNS servers : 1 FortiGate DNS Server, and 2 DCs DNS. We can only use 2 IPs on most of our equipment, and we want to have FortiGate IP + Virtual IP (Load balancing to both DCs). 

This means to stay on our LAN (X.X.0.0/16) only, and the VIP would be on the same network as the real servers. 

 

Here is a scheme to get a better idea:

fortiforum.png

 

So for now I followed more or less this technical tip I found : https://community.fortinet.com/t5/FortiGate/Technical-Tip-VIP-IP-virtual-server-type-on-the-same-int...

 

I do have a Virtual server, and a corresponding address. Here are my configurations :

VIP:

vip.png

Address:

Address .png

Policies:

policies.png

 

The issue is, whether from vlan10 or vlan213, I can't access at all to my VIP. The thing is, I am getting timed out and I'm not receiving a destination unreachable error. Still, the Hit count of my vip or the traffic trough my policies stays at 0. 

 

Any hints on what I could try to do, check or change ?

 

Thanks a lot.

1 Solution
AEK

Can you disable health-check and try again?

AEK

View solution in original post

AEK
4 REPLIES 4
AEK
SuperUser
SuperUser

Hi Greed

Check if arp reply is enabled on the VIP, and enable it if it is disabled..

config firewall vip
edit "VIP Domain Controllers"
set arp-reply enable
next
end

Besides, the destination in your firewall rules should be the VIP/VS object, not the address object.

AEK
AEK
Greed
New Contributor II

Hi AEK,

 

Thanks a lot for the answer. The ARP Reply was already enabled.

 

About the firewall policies, I can only put the address for the VLAN10 -> VLAN213 for example. That is why I created it to begin with, following the tip page I linked. 

In facts, I can only add my VIP as a destination when the source interface is my VLAN213.

AEK

Can you disable health-check and try again?

AEK
AEK
Greed
New Contributor II

And it actually worked!

The issue comes from the DNS Check. The other 3 are fine.

 

I might need some guidance on understanding why it wouldn't, knowing that DNS requests are working without the check activated. 

I tried putting my VIP as the unique DNS on a test machine and it could resolve everything I need without any issue or delay. That's great, thanks !

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors