Fortinet black logo

Handbook

Home FortiGSLB Handbook

Health check troubleshooting

Health check troubleshooting

When a health check fails or is down, FortiGSLB Cloud provides the details and reasons for the failure for troubleshooting. The below is a list of frequently occurring error messages and how to troubleshoot them according to each health check type.

DNS health check

Error message

When this message will show

How to troubleshoot this error
DNS service refused FortiGSLB sends the DNS query request to your service, but it only gets the response that it was refused, i.e. your DNS server does not have the information about the domain.
  1. In your FortiGSLB DNS Health Check configuration, ensure the Domain Name field is correct. This needs to match the domain name on your DNS server.
  2. Ensure the virtual server IP configured in FortiGSLB matches your DNS server IP address.
DNS record mismatch FortiGSLB sends the DNS query request to your service, and gets the response from your service for the domain. But the IP address in the response does not match what you have configured in FortiGSLB. In your FortiGSLB DNS Health Check configuration, ensure the Host Address field matches your domain server IP address.
DNS request timeout FortiGSLB sends the DNS query request to your service, but does not get the response from your service within the specified time.
  1. In your FortiGSLB DNS Health Check configuration, ensure the Timeout field is not set too short.
  2. Check if there is a firewall in front of your service that may be blocking the FortiGSLB health check packet.
  3. Try your service from your local.
  4. Capture packet on your service server to check if the DNS request reaches your server.
ICMP health check

Error message

When this message will show

How to troubleshoot this error
ICMP check failed on service FortiGSLB sends the ICMP echo request to your service, but does not receive the ICMP echo reply from your service.
  1. Check if there is a firewall in front of your service that may be blocking the FortiGSLB health check packet.
  2. Try your service from your local.
  3. Capture packet on your service server to check if the ICMP request reaches your server.
TCP/TCP Echo

Error message

When this message will show

How to troubleshoot this error
TCP check failed on service FortiGSLB sends the TCP/TCP echo request to your service, but does not receive the reply from your service.
  1. In your FortiGSLB TCP Health Check configuration, ensure the Port field is correct.
  2. Check if your service is listening on the TCP port.
  3. Check if there is a firewall in front of your service that may be blocking the FortiGSLB health check packet.
  4. Try your service from your local.
  5. Capture packet on your service server to check if the TCP/TCP echo request reaches your server.
UDP health check

Error message

When this message will show

How to troubleshoot this error
UDP check failed on service FortiGSLB sends the UDP request to your service, but does not receive the reply from your service.
  1. In your FortiGSLB UDP Health Check configuration, ensure the Port field is correct.
  2. Check if your service is listening on the UDP port.
  3. Check if there is a firewall in front of your service that may be blocking the FortiGSLB health check packet.
  4. Try your service from your local.
  5. Capture packet on your service server to check if the UDP request reaches your server.
HTTP/ HTTPS health check

Error message

When this message will show

How to troubleshoot this error
Connect to server timeout or Connect failed FortiGSLB sends the HTTP/HTTPS request to your service, but cannot get the response from your service within the specified time.
  1. In your FortiGSLB HTTP/ HTTPS Health Check configuration, ensure the Timeout field is not set too short, and the Port field is correct.
  2. Check if your service is listening on the TCP port.
  3. Check if there is a firewall in front of your service that may be blocking the FortiGSLB health check packet.
  4. Try your service from your local.
  5. Capture packet on your service server to check if the HTTP/HTTPS request reaches your server.
HTTP received message mismatch FortiGSLB sends the HTTP/HTTPS request to your server, and gets the response. But the response does not match your configured “Receive String”.
  1. In your FortiGSLB HTTP/ HTTPS Health Check configuration, ensure the Send String field is correct, and the Receive String is in the response from your server.
  2. Ensure the virtual server or application IP address is correct.
HTTP status code mismatch, the code is 401(Unauthorized) FortiGSLB sends the HTTP/HTTPS request with the Username and Password to your server, and the server responds with code 401.
  1. In your FortiGSLB HTTP/ HTTPS Health Check configuration, ensure the Port, Username, and Password fields are correct.
  2. Ensure the username and password have been authorized by your server.

HTTP status code mismatch, the code is 404(Not Found)

FortiGSLB sends the HTTP/HTTPS request to your server, the server responds with code 404.
  1. In your FortiGSLB HTTP/ HTTPS Health Check configuration, ensure the Send String and Port fields are correct.
  2. Ensure the virtual server or application IP address is correct.

HTTP status code mismatch, the code is 502(Bad Gateway)

FortiGSLB sends the HTTP/HTTPS request to your server, and the server responds with code 502.
  1. Check if there is a firewall in front of your service that may be blocking the FortiGSLB health check packet.
  2. Try your service from your local.
  3. Capture packet on your service server to check if the HTTP/HTTPS request reaches your server.
  4. Check if there are too many requests sent to your server at the same time.

HTTP status code mismatch, the code is 503(Service Unavailable)

FortiGSLB sends the HTTP/HTTPS request to your server, and the server responds with code 503.
  1. Check if there is a firewall in front of your service that may be blocking the FortiGSLB health check packet.
  2. Try your service from your local.
  3. Capture packet on your service server to check if the HTTP/HTTPS request reaches your server.

HTTP status code mismatch

FortiGSLB sends the HTTP/HTTPS request to your server, and the server responds with an error code not specified above.

In your FortiGSLB HTTP/ HTTPS Health Check configuration, ensure the Send String field is correct and the Status code is as expected.

SSL connection error

FortiGSLB sends the HTTPS request with the certificate to your service and gets an error response that the certificate does not match.

In your FortiGSLB HTTPS Health Check configuration, ensure the Allowed SSL Versions and SSL Ciphers fields are correct, that the content of the Local Cert is correct.

Proxy connect error

FortiGSLB sends the HTTP Connect request to your proxy server, but does not get any response from the server.
  1. In your FortiGSLB HTTP/ HTTPS Health Check configuration, ensure the Remote Host, Remote Port and Port fields are correct.
  2. Check if there is a firewall in front of your proxy server that may be blocking the FortiGSLB health check packet.
  3. Capture packet on your service server to check if the HTTP request reaches your server.
Previous
Next

Health check troubleshooting

When a health check fails or is down, FortiGSLB Cloud provides the details and reasons for the failure for troubleshooting. The below is a list of frequently occurring error messages and how to troubleshoot them according to each health check type.

DNS health check

Error message

When this message will show

How to troubleshoot this error
DNS service refused FortiGSLB sends the DNS query request to your service, but it only gets the response that it was refused, i.e. your DNS server does not have the information about the domain.
  1. In your FortiGSLB DNS Health Check configuration, ensure the Domain Name field is correct. This needs to match the domain name on your DNS server.
  2. Ensure the virtual server IP configured in FortiGSLB matches your DNS server IP address.
DNS record mismatch FortiGSLB sends the DNS query request to your service, and gets the response from your service for the domain. But the IP address in the response does not match what you have configured in FortiGSLB. In your FortiGSLB DNS Health Check configuration, ensure the Host Address field matches your domain server IP address.
DNS request timeout FortiGSLB sends the DNS query request to your service, but does not get the response from your service within the specified time.
  1. In your FortiGSLB DNS Health Check configuration, ensure the Timeout field is not set too short.
  2. Check if there is a firewall in front of your service that may be blocking the FortiGSLB health check packet.
  3. Try your service from your local.
  4. Capture packet on your service server to check if the DNS request reaches your server.
ICMP health check

Error message

When this message will show

How to troubleshoot this error
ICMP check failed on service FortiGSLB sends the ICMP echo request to your service, but does not receive the ICMP echo reply from your service.
  1. Check if there is a firewall in front of your service that may be blocking the FortiGSLB health check packet.
  2. Try your service from your local.
  3. Capture packet on your service server to check if the ICMP request reaches your server.
TCP/TCP Echo

Error message

When this message will show

How to troubleshoot this error
TCP check failed on service FortiGSLB sends the TCP/TCP echo request to your service, but does not receive the reply from your service.
  1. In your FortiGSLB TCP Health Check configuration, ensure the Port field is correct.
  2. Check if your service is listening on the TCP port.
  3. Check if there is a firewall in front of your service that may be blocking the FortiGSLB health check packet.
  4. Try your service from your local.
  5. Capture packet on your service server to check if the TCP/TCP echo request reaches your server.
UDP health check

Error message

When this message will show

How to troubleshoot this error
UDP check failed on service FortiGSLB sends the UDP request to your service, but does not receive the reply from your service.
  1. In your FortiGSLB UDP Health Check configuration, ensure the Port field is correct.
  2. Check if your service is listening on the UDP port.
  3. Check if there is a firewall in front of your service that may be blocking the FortiGSLB health check packet.
  4. Try your service from your local.
  5. Capture packet on your service server to check if the UDP request reaches your server.
HTTP/ HTTPS health check

Error message

When this message will show

How to troubleshoot this error
Connect to server timeout or Connect failed FortiGSLB sends the HTTP/HTTPS request to your service, but cannot get the response from your service within the specified time.
  1. In your FortiGSLB HTTP/ HTTPS Health Check configuration, ensure the Timeout field is not set too short, and the Port field is correct.
  2. Check if your service is listening on the TCP port.
  3. Check if there is a firewall in front of your service that may be blocking the FortiGSLB health check packet.
  4. Try your service from your local.
  5. Capture packet on your service server to check if the HTTP/HTTPS request reaches your server.
HTTP received message mismatch FortiGSLB sends the HTTP/HTTPS request to your server, and gets the response. But the response does not match your configured “Receive String”.
  1. In your FortiGSLB HTTP/ HTTPS Health Check configuration, ensure the Send String field is correct, and the Receive String is in the response from your server.
  2. Ensure the virtual server or application IP address is correct.
HTTP status code mismatch, the code is 401(Unauthorized) FortiGSLB sends the HTTP/HTTPS request with the Username and Password to your server, and the server responds with code 401.
  1. In your FortiGSLB HTTP/ HTTPS Health Check configuration, ensure the Port, Username, and Password fields are correct.
  2. Ensure the username and password have been authorized by your server.

HTTP status code mismatch, the code is 404(Not Found)

FortiGSLB sends the HTTP/HTTPS request to your server, the server responds with code 404.
  1. In your FortiGSLB HTTP/ HTTPS Health Check configuration, ensure the Send String and Port fields are correct.
  2. Ensure the virtual server or application IP address is correct.

HTTP status code mismatch, the code is 502(Bad Gateway)

FortiGSLB sends the HTTP/HTTPS request to your server, and the server responds with code 502.
  1. Check if there is a firewall in front of your service that may be blocking the FortiGSLB health check packet.
  2. Try your service from your local.
  3. Capture packet on your service server to check if the HTTP/HTTPS request reaches your server.
  4. Check if there are too many requests sent to your server at the same time.

HTTP status code mismatch, the code is 503(Service Unavailable)

FortiGSLB sends the HTTP/HTTPS request to your server, and the server responds with code 503.
  1. Check if there is a firewall in front of your service that may be blocking the FortiGSLB health check packet.
  2. Try your service from your local.
  3. Capture packet on your service server to check if the HTTP/HTTPS request reaches your server.

HTTP status code mismatch

FortiGSLB sends the HTTP/HTTPS request to your server, and the server responds with an error code not specified above.

In your FortiGSLB HTTP/ HTTPS Health Check configuration, ensure the Send String field is correct and the Status code is as expected.

SSL connection error

FortiGSLB sends the HTTPS request with the certificate to your service and gets an error response that the certificate does not match.

In your FortiGSLB HTTPS Health Check configuration, ensure the Allowed SSL Versions and SSL Ciphers fields are correct, that the content of the Local Cert is correct.

Proxy connect error

FortiGSLB sends the HTTP Connect request to your proxy server, but does not get any response from the server.
  1. In your FortiGSLB HTTP/ HTTPS Health Check configuration, ensure the Remote Host, Remote Port and Port fields are correct.
  2. Check if there is a firewall in front of your proxy server that may be blocking the FortiGSLB health check packet.
  3. Capture packet on your service server to check if the HTTP request reaches your server.
Previous
Next