Fortinet black logo

Handbook

Load balancing diagnose commands

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:208911
Download PDF

Load balancing diagnose commands

You can also use the following diagnose commands to view status information for load balancing virtual servers and real servers:

diagnose firewall vip realserver {down | healthcheck | list | up}

diagnose firewall vip virtual-server {filter | real-server | stats}

For example, the following command lists and displays status information for all real servers:

diagnose firewall vip virtual-server real-server

vd root/0 vs vs/2 addr 10.31.101.30:80 status 1/1

conn: max 0 active 0 attempts 0 success 0 drop 0 fail 0

vd root/0 vs vs/2 addr 10.31.101.20:80 status 1/1

conn: max 0 active 0 attempts 0 success 0 drop 0 fail 0

Many of the diagnostic commands involve retrieving information about one or more virtual servers. To control which servers are queried you can define a filter:

diagnose firewall vip virtual-server filter <filter_str>

Where <filter_str> can be:

  • clear erase the current filter
  • dst the destination address range to filter by
  • dst-port the destination port range to filter by
  • list display the current filter
  • name the vip name to filter by
  • negate negate the specified filter parameter
  • src the source address range to filter by
  • src-port the source port range to filter by
  • vd index of virtual domain. -1 matches all

The default filter is empty so no filtering is done.

Logging diagnostics

The logging diagnostics provide information about two separate features:

diagnose firewall vip virtual-server filter

  • filter sets a filter for the virtual server debug log
  • The filter option controls what entries the virtual server daemon will log to the console if diagnose wad debug enable category vs is enabled. The filtering can be done on source, destination, virtual-server name, virtual domain, and so on:

diagnose firewall vip virtual-server filter <filter_str>

Where <filter_str> can be

  • clear erase the current filter
  • dst the destination address range to filter by
  • dst-port the destination port range to filter by
  • list display the current filter
  • name the virtual-server name to filter by
  • negate negate the specified filter parameter
  • src the source address range to filter by
  • src-port the source port range to filter by
  • vd index of virtual domain. -1 matches all

The default filter is empty so no filtering is done.

Real server diagnostics

Enter the following command to list all the real servers:

diagnose firewall vip virtual-server real-server list

In the following example there is only one virtual server called slb and it has two real-servers:

diagnose firewall vip virtual-server server

vd root/0 vs slb/2 addr 172.16.67.191:80 status 1/1

conn: max 10 active 0 attempts 0 success 0 drop 0 fail 0

http: available 0 total 0

vd root/0 vs slb/2 addr 172.16.67.192:80 status 1/1

conn: max 10 active 1 attempts 4 success 4 drop 0 fail 0

http: available 1 total 1

The status indicates the administrative and operational status of the real-server.

  • max indicates that the real-server will only allow 10 concurrent connections.
  • active is the number of current connections to the server attempts is the total number of connections attempted success is the total number of connections that were successful.
  • drop is the total number of connections that were dropped because the active count hit max.
  • fail is the total number of connections that failed to complete due to some internal problem (for example, lack of memory).

If the virtual server has HTTP multiplexing enabled then the HTTP section indicates how many established connections to the real-sever are available to service a HTTP request and also the total number of connections.

Load balancing diagnose commands

You can also use the following diagnose commands to view status information for load balancing virtual servers and real servers:

diagnose firewall vip realserver {down | healthcheck | list | up}

diagnose firewall vip virtual-server {filter | real-server | stats}

For example, the following command lists and displays status information for all real servers:

diagnose firewall vip virtual-server real-server

vd root/0 vs vs/2 addr 10.31.101.30:80 status 1/1

conn: max 0 active 0 attempts 0 success 0 drop 0 fail 0

vd root/0 vs vs/2 addr 10.31.101.20:80 status 1/1

conn: max 0 active 0 attempts 0 success 0 drop 0 fail 0

Many of the diagnostic commands involve retrieving information about one or more virtual servers. To control which servers are queried you can define a filter:

diagnose firewall vip virtual-server filter <filter_str>

Where <filter_str> can be:

  • clear erase the current filter
  • dst the destination address range to filter by
  • dst-port the destination port range to filter by
  • list display the current filter
  • name the vip name to filter by
  • negate negate the specified filter parameter
  • src the source address range to filter by
  • src-port the source port range to filter by
  • vd index of virtual domain. -1 matches all

The default filter is empty so no filtering is done.

Logging diagnostics

The logging diagnostics provide information about two separate features:

diagnose firewall vip virtual-server filter

  • filter sets a filter for the virtual server debug log
  • The filter option controls what entries the virtual server daemon will log to the console if diagnose wad debug enable category vs is enabled. The filtering can be done on source, destination, virtual-server name, virtual domain, and so on:

diagnose firewall vip virtual-server filter <filter_str>

Where <filter_str> can be

  • clear erase the current filter
  • dst the destination address range to filter by
  • dst-port the destination port range to filter by
  • list display the current filter
  • name the virtual-server name to filter by
  • negate negate the specified filter parameter
  • src the source address range to filter by
  • src-port the source port range to filter by
  • vd index of virtual domain. -1 matches all

The default filter is empty so no filtering is done.

Real server diagnostics

Enter the following command to list all the real servers:

diagnose firewall vip virtual-server real-server list

In the following example there is only one virtual server called slb and it has two real-servers:

diagnose firewall vip virtual-server server

vd root/0 vs slb/2 addr 172.16.67.191:80 status 1/1

conn: max 10 active 0 attempts 0 success 0 drop 0 fail 0

http: available 0 total 0

vd root/0 vs slb/2 addr 172.16.67.192:80 status 1/1

conn: max 10 active 1 attempts 4 success 4 drop 0 fail 0

http: available 1 total 1

The status indicates the administrative and operational status of the real-server.

  • max indicates that the real-server will only allow 10 concurrent connections.
  • active is the number of current connections to the server attempts is the total number of connections attempted success is the total number of connections that were successful.
  • drop is the total number of connections that were dropped because the active count hit max.
  • fail is the total number of connections that failed to complete due to some internal problem (for example, lack of memory).

If the virtual server has HTTP multiplexing enabled then the HTTP section indicates how many established connections to the real-sever are available to service a HTTP request and also the total number of connections.