Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
James_G
Contributor III

FortiOS 6.0.9 is out

3 Solutions
simonpt
New Contributor III

ValentinoD wrote:

 

Did you experience any more issues after the last update? Did the issue that you were seeing in 6.0.8 only see for RDP coming from SSLVPN?

 

Still seeing the occasional issue with RDP over SSL VPN in 6.0.9, but not nearly as often.

 

ValentinoD wrote:

We are thinking of going to 6.0.9, and while we do not have any SSL VPN on Fortigate, we do have RDP sessions going over IPSec VPN tunnels or other directly connected links.

 

If you don't use SSL VPN, you'll be fine. RDP works okay over IPsec and other links.

View solution in original post

simonpt
New Contributor III

Another issue with 6.0.9 (and perhaps earlier versions) is where a client browsing securely to a FGT virtual server will get disconnected as soon as they send a ClientHello. This isn't reproducible on all our standard virtual servers -- only on one that I'm experimenting on with some advanced features enabled.

 

Further analysis shows that the wad process is crashing. The TAC engineer matched this to a known bug (590039) and advised me that it has been fixed in 6.2.3. When I asked if it would be backported to 6.0, I was told no, it won't, and to upgrade to 6.2.3. I've asked for an explanation on why it won't be backported and haven't heard yet. That was over three weeks ago.

 

According to Fortinet's product life cycle, FOS 6.0's engineering support doesn't end until 29 March 2021. If a daemon is crashing, I don't understand why they don't fix it. I'm certainly not keen to upgrade to a new version like 6.2 just yet.

View solution in original post

Sebastiaan_Koopmans

After upgrading it looks like (currently investigation) that we have random connectivity issues to on premise Exchange servers. They loose connection/outlook freezes sometimes with no reason.

 

Tonight we have downgraded to 6.0.8 to see if this the cause.

Keep you updated

FortiAnalyzer / 6.4.0

FortiClient / 6.2.6 FortiClient EMS VM / 6.2.6

FortiGate 300D HA 6.2.4 FortiGate 500E HA 6.2.4 FortiGate 30E / 60E / 100E / 6.0.9 FortiMail VM HA / 6.4.0 FortiSandbox VM / 3.2.0

FortiWeb VM / 6.3.2

FortiManager VM / 6.4.0

View solution in original post

21 REPLIES 21
ValentinoD

I expected it to be so. Thanks for the reply.

 

The strange thing is that i remember i saw it in the know issues when the first release notes for it were published. I checked the release notes today and it isn't listed anymore

MikePruett

Pushed it to 200 client FortiGates over the past week or so. So far, so good.

simonpt
New Contributor III

ValentinoD wrote:

I expected it to be so. Thanks for the reply.

 

The strange thing is that i remember i saw it in the know issues when the first release notes for it were published. I checked the release notes today and it isn't listed anymore

You're welcome.

 

Oh yes, you're right. According to the change log, the known issues were updated last week on the 4th. (Frustrating when they only say something was updated but don't tell you what and so you have to try to work out for yourself what it was they did.)

 

Isn't that an interesting insight into Fortinet's current software development and QA processes? They initially had the RDP over SSL VPN bug (582265) listed as a known issue for 6.0.9. And a TAC engineer told me it would be fixed in 6.0.10, 6.2.4 and 6.4.0. Then someone realised, hang on, we've actually fixed this in 6.0.9. Quick, update the release notes. It's like the left hand isn't telling the right hand what it's doing :\

 

Another worrying insight for me is when a TAC engineer recommends reformatting FGTs to fix something that's slightly off. I had a slew of problems when I upgraded our FGTs to 6.0.9. One was quite serious -- not being able to route traffic through a FGT when I made it the active member in the HA cluster, even though the config and checksums matched the other member that could route traffic okay. I also discovered a minor web UI problem where you would hover over a source in FortiView and the pop-up would display the details for a different source. The engineer for that minor ticket suggested that there might be "some kind of corruption either on the firmware image or configuration itself" and to "factory reset the device and re-image the firmware on the FGT with the fresh image using TFTP". In the end, I ended up doing that, but mainly to fix the serious issue, which thankfully it did. (Ironically, it didn't fix the minor issue.) Crazy thing is, I had just reformatted both FGTs in the cluster when I upgraded them to 6.0.9 and I built a brand new config for them. Everything was fresh and new. Has FortiOS got so fragile that it needs to be reformatted to fix things now?

jim3cantos

simonpt wrote:

ValentinoD wrote:

I expected it to be so. Thanks for the reply.

 

The strange thing is that i remember i saw it in the know issues when the first release notes for it were published. I checked the release notes today and it isn't listed anymore

You're welcome.

 

Oh yes, you're right. According to the change log, the known issues were updated last week on the 4th. (Frustrating when they only say something was updated but don't tell you what and so you have to try to work out for yourself what it was they did.)

 

 

That's why I try to keep a copy of the different versions of the file, but anyway they take an issue out of the know issues list and don't put it in the solved issues list so probably both lists are only a subset of the real thing. The only way to know for sure if something has been resolved is to try it.  

 
José Ignacio Martín Jiménez
ValentinoD

simonpt wrote:

 

Another worrying insight for me is when a TAC engineer recommends reformatting FGTs to fix something that's slightly off. I had a slew of problems when I upgraded our FGTs to 6.0.9. One was quite serious -- not being able to route traffic through a FGT when I made it the active member in the HA cluster, even though the config and checksums matched the other member that could route traffic okay.

This is the first time i have heard a TAC enginner recommending reformatting a FGT to fix a issue like this. It seems they have changed their approach from upgrade/downgrade to another firmware version like they did in the past. This seems like a serious bug, which at least should have been treated more carefully than just a reformat the FGT.

 

I remember that in the past, only the earlier version of a major release would have problems and were usually avoided, but the later releases would have been solid. If the higher versions of a release start having serious problems that does not bode well.

 

 

 

 

simonpt
New Contributor III

Another issue with 6.0.9 (and perhaps earlier versions) is where a client browsing securely to a FGT virtual server will get disconnected as soon as they send a ClientHello. This isn't reproducible on all our standard virtual servers -- only on one that I'm experimenting on with some advanced features enabled.

 

Further analysis shows that the wad process is crashing. The TAC engineer matched this to a known bug (590039) and advised me that it has been fixed in 6.2.3. When I asked if it would be backported to 6.0, I was told no, it won't, and to upgrade to 6.2.3. I've asked for an explanation on why it won't be backported and haven't heard yet. That was over three weeks ago.

 

According to Fortinet's product life cycle, FOS 6.0's engineering support doesn't end until 29 March 2021. If a daemon is crashing, I don't understand why they don't fix it. I'm certainly not keen to upgrade to a new version like 6.2 just yet.

simonpt
New Contributor III

Just got bitten by another bug with 6.0.9. If you've implemented the best practice of creating higher-distance blackhole routes to prevent VPN traffic from routing to the internet when your tunnels go down, be careful if your VPN uses BGP to learn the route from the remote end. We had a tunnel flap overnight, the blackhole route kicked in but then stayed in even after BGP adjacency was formed. Looks like it might be this one in the list of known issues:

 

593864: Routing table is not always updated when BGP gets an update with changed next hop.

Sebastiaan_Koopmans

After upgrading it looks like (currently investigation) that we have random connectivity issues to on premise Exchange servers. They loose connection/outlook freezes sometimes with no reason.

 

Tonight we have downgraded to 6.0.8 to see if this the cause.

Keep you updated

FortiAnalyzer / 6.4.0

FortiClient / 6.2.6 FortiClient EMS VM / 6.2.6

FortiGate 300D HA 6.2.4 FortiGate 500E HA 6.2.4 FortiGate 30E / 60E / 100E / 6.0.9 FortiMail VM HA / 6.4.0 FortiSandbox VM / 3.2.0

FortiWeb VM / 6.3.2

FortiManager VM / 6.4.0

SecurityPlus

Any further update from those that have upgraded to 6.0.9?

Baptiste

sebastiaan.koopmans@kuiken.nl wrote:

After upgrading it looks like (currently investigation) that we have random connectivity issues to on premise Exchange servers. They loose connection/outlook freezes sometimes with no reason.

 

Tonight we have downgraded to 6.0.8 to see if this the cause.

Keep you updated

Hi, same issue for me, lots of freeze/crash/disconnection with on Premise Exchange.

Currently running Exchange 2010 with Outlook 2010 & 2016 client, 

Issue with both client.

 

No issue when I'm on same Lan.

Issue when access are done from Wireless (tunnel mode)

2 FGT 100D  + FTK200

3 FGT 60E  FAZ VM  some FAP 210B/221C/223C/321C/421E