Connectivity and Configuration Issues

Terminal or terminal emulator may not be properly configured

Check the serial cable connection and the communication settings of the terminal or terminal emulator. Refer to Setting Up a Terminal or Terminal Emulator for the appropriate settings for your appliance. If you are using terminal emulation software on a Windows or Unix system, make sure the terminal emulation software is connecting to the port to which the serial cable is connected.

Packets from the server are not being routed back through ADC

Log on to the server(s) and check the routing tables. Perform a traceroute (or tracert on Windows) from the server to the client. Adjust route until the ADCs address shows up in the traceroute output.

	All packets sent from the server back to clients must pass through the ADC on the way back to the client unless the spoof cluster option is disabled, or Direct Server Return (DSR) is configured.

Test client is on the same network as the servers

If the test client is on the same network as the servers, the servers will probably try to send data packets directly to the client, bypassing the ADC. You can correct this by adding host routes on the servers so that the servers send their reply packets back to the client through the ADC.

No active servers in the virtual cluster

Possible solutions:

• Check the cluster configuration: Is a server pool assigned to the cluster? Are there server instances in the server pool and are they all marked UP?
• Log onto one of the servers and run the netstat command. If the netstat output shows connections in the SYN-RCVD state, the server is not forwarding its reply packets.

The ADC is not active

Try to ping one of the configured subnet IP addresses. If you do not get a response, “FortiADC Doesn’t Respond to Pings to the Admin Address” provides additional troubleshooting information.

GUI not enabled

Services flags at the global and subnet level control availability of the GUI. It must be enabled globally and on at least one subnet in order to be accessible. Access the GUI using the subnet IP address on which either of the HTTP or HTTPS services is enabled.

ADC is not active

Try to ping the administration address. If you do not get a response, see “FortiADC doesn’t respond to pings to the admin address” below, which provides additional troubleshooting information.

Browser cache needs to be cleared

After an upgrade, the GUI may need to be completely reloaded before it can be used again, depending on the level of change to the GUI code contained in the upgrade. You can do this by clearing your browser cache; or, closing your browser and opening it again to establish a new connection.

Equalizer is not powered on

Check that power switch is on and the front panel LED is lit. Connect the keyboard and monitor, cycle the power, and watch the startup diagnostic messages.

Equalizer isn't connected to your network

Check the network wiring.

Use diagnostic tools to check connectivity and routing

See Using Diagnostic Commands for a list of the diagnostic tools available in the CLI.

IP spoofing is enabled

This problem normally occurs in a single network setup. When you enable IP spoofing, clustered servers see the client’s IP address. If the server tries to reply directly to the client, the client will reject the reply (it had sent its request to a different address).

Run a traceroute to ensure that routes from a server to a client go through FortiADC and not directly back to the client. If FortiADC does not appear, modify the route to include FortiADC. Alternatively, you can disable IP spoofing.

There are several reasons this could be happening. Make sure that FortiADC is being used as the default gateway on all your servers, and that the server service or daemon is running. Sometimes additional host or network routes will need to be added to the clustered servers in single network. The traceroute (Unix) and tracert (Windows) commands are useful diagnostic tools. Trace from the clustered server back to any client that is not able to resolve the cluster address. If FortiADCis not showing up as the first hop, routing is the cause of the problem.

Turn off the Pop-up Blocker for your browser.

If you have one or more HTTPS clusters defined, you may see the following messages in the FortiADC log:

ssl_err: 425:error:1408F10B: SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:360: ssl_err: fatal error with ip_address

These messages indicate that a client has sent an HTTPS request to an HTTPS cluster, but has requested an SSL/TLS version that is not configured on the cluster. These messages are logged by the SSL implementation used by FortiADC and do not necessarily indicate a problem on FortiADC.

For example, if you configure the HTTPS cluster to support SSLv3 ciphers only, then any time a client requests a connection using an SSLv2 cipher, SSL will log these messages. Check the cipher suite for the HTTPS cluster and the configuration of the client to ensure that the desired SSL versions are being used.