Description
This article describes an issue reported in FOS versions 7.4.1-7.4.3 where the HTTPS GUI access is lost after an upgrade.
Scope
FortiOS: 7.4.1-7.4.3.
Solution
The issue can be confirmed by collecting below-mentioned logs:
- Sniffer on FortiGate for port 443:
diag sniffer packet any " port 443 and host <src_ip>" 4 0 l
A snippet is shown below to explain this behavior:
2024-02-22 16:47:52.268974 wan1 in 40.40.40.40.59275 -> 75.75.75.75.443: syn 4063577803
2024-02-22 16:47:52.269091 wan2 out 75.75.75.75.443 -> 40.40.40.40.59275: syn 3402131812 ack 4063577804
40.40.40.40 is the Source IP and 75.75.75.75 is the WAN1 IP Address.
Traffic is received on WAN1 but the reply is sent out via WAN2 with the IP address of WAN1 as the source.
- The routing table on FortiGate can reflect active routes via WAN1/WAN2 (ECMP/SDWAN) or active/standby routes - WAN1 (active) and WAN2 (standby).
get router info routing-table all
...
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 75.75.75.1, wan1, [1/0]
[1/0] via 85.85.85.2, wan2, [1/0]
Or:
get router info routing-table database
...
Routing table for VRF=0
S*> 0.0.0.0/0 [10/0] via 75.75.75.1, wan1, [1/0] --> Active Route
[11/0] via 85.85.85.2, wan2, [1/0]
This issue is fixed in FOS version 7.4.4 (yet to be released) and this issue is also added to the known issues section in the release notes of FortiOS 7.4.1:
Known issues
Logs required by TAC to investigate:
diag sniffer packet any " port 443 and host <src_ip>" 4 0 l
get router info routing-table all
get router info routing-table database
exec tac report
config file of the FortiGate
