Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Virtual IP stops working
Howdy,
We have seen an issue at least 2-3 times where a VIP seems to stop working. The most recent one in question was to a linux box via SSH. The connection just completely stops working. The only way to fix the issue, besides maybe rebooting, is to edit the VIP to be incorrect, and then go back in, and correct it. After this the connection works. We have also seen this with some IPSEC VPN Tunnels and we have to do the same process to get it up.
We have noticed this on firmwares up to 4.2.15 and 4.3.12.
Any thoughts?
Thanks!
Alan
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Q: VIP for ipsec/ssh how' s the ike/tcp timers and how are identifying the VIP stops working?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you mean like a session ttl? If so, I dont have any set for the SSH VIP (other than what might be a system default). The way we tell is when a client starts complaining. :( When its down we can try to connect from a different location and it does not respond.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why do we 1st start be identifying the config and the type of vip
show firewall vip " name here"
Also if it' s a load-balance vip with healthchecks, execute the following;
diag firewall vip virtual-server real-server list
diag firewall vip realserver list
And in your diagnostic, you need to run packet diag sniffer to make sure traffic is getting to the firewall when you realize it' s down and users are complaining
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No load balancing here.
set extip 208.1.1.1 (<- IP changed obviously)
set extintf " wan1"
set portforward enable
set mappedip 192.168.251.1
set extport 22
set mappedport 22
I did not run the diag sniffer unfortunately due to the client being on the phone, but I can try to remember for next time.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Had this happen again. :(
I ran a packet diag sniff and found that no packets were recorded for some reason. As soon as I changed a setting in the VIP, saved, changed back, saved, it started working again and I saw traffic being flagged by the sniffer. The strange part is that I rebooted the FortiGate before this and there was no change. :\
Any ideas?