Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
NG2
New Contributor

Created on ‎02-02-2024 06:22 AM

No Internet Access for Real Servers when using Load Balancing on Local LAN

Good afternoon,

I have a slightly puzzling issue. I have setup a virtual server to act as a load balancer to two real servers on our local LAN (http & https traffic). This has been setup and working fine in active standby mode. I have been able to swap over the active and standby servers without any issue and can access the webpage via the load balanced IP.

The issue I now have is that neither of the real servers can access the internet.

I have followed the tip in the link below to try to resolve the issue but it hasn't worked

Technical Tip: VIP IP (virtual server type) on the... - Fortinet Community

I have tried turning NAT on and off for the various policies that the servers are using (according to the logs), but I still can't get these servers to access the internet.

This is the policy I have enabled to get the load balancer working:

LB Policy.png

If I disable the above policy, the real servers can then access the internet again but the load balanced IP is then unresponsive.

Has anyone had a similar issue or know how I can resolve this issue?

Model: Fortigate 100F

Firmware: v7.0.12 build0523

Thanks

Labels:
512
0 Kudos
6 REPLIES 6
mushqji
New Contributor

Created on ‎02-02-2024 06:38 AM Edited on ‎02-07-2024 02:43 AM

Yes there's something about LB that I don't understand. That's why these questions pop up in my head. So, if LBs act in pair, what's the thing that decides which of the LBs for the network traffic to go to? And why can't that "thing" (if it even is a physical thing) just directly choose between the servers instead, and skip the LB step https://mobdro.bio/  ?

494
0 Kudos
NG2
New Contributor

Created on ‎02-02-2024 06:50 AM

Would be a lot easier right...

Think it's definitely something to do with NAT and fortigate virtual servers.

I have a constant ping going to 8.8.8.8. In the logs it looks like it can send but not receive any packets:

LB Log1.pngLB Log2.pngLB Log3.png

Real servers: x.x.x.155 & x.x.x.156

Load Balancer: x.x.x.157

NAT IP is the load balancer so must have something to do with that?

480
0 Kudos
hbac
Staff
Staff
In response to NG2

Created on ‎02-02-2024 07:21 AM

Hi @NG2,

 

What do you mean NAT IP is the load balancer? Is x.x.x.157 the IP address of wan2? Please run the following command and try to ping again:

 

get router info routing-table all 

di sniffer packet any 'host 8.8.8.8 and icmp' 4 0 l

 

Regards, 

467
0 Kudos
NG2
New Contributor
In response to hbac

Created on ‎02-02-2024 07:42 AM

Hi @hbac 

x.x.x.157 is the load balancer (virtual server) IP. IP of our WAN is 62.x.x.32 (sorry for the x's but don't want to share all our local and public IPs).

 

Can I send you a private message with the output of those commands?

Thanks

461
0 Kudos
hbac
Staff
Staff
In response to NG2

Created on ‎02-02-2024 07:46 AM

@NG2,

 

Please provide a network diagram so I can better understand the topology. 

 

Regards, 

457
0 Kudos
ezhupa
Staff
Staff
In response to NG2

Created on ‎03-15-2024 07:36 AM

Hello,

By default when there is a VIP/Virtual Server configuration the internal or mapped IP, in this case the IP of the real servers will be source NAT-ted with the ext IP in the VIP/Virtual Server configuration. 
One way to circumvent this is  to have NAT via IPPOOL performed on the original "Internet Acess" policy LAN-> WAN. 
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-a-VIP-s-External-IP-Address-for...

200
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.