Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tanr
Valued Contributor II
3 Solutions
mjcrevier

If you're having connectivity issues, check if DoS sensor is enabled. If so, disable it completely. That should resolve the issue you're seeing.

 

 

View solution in original post

Toshi_Esumi
Esteemed Contributor II

I had a conversation with an FTNT SE today about 6.2.4 problems. The major issues seem to boil down to below three issues:

1. DoS policy issue: It's still an known issue with 6.2.4 and not resolved, which is in the release notes.

2. IPS engine keeps crashing. A new engine is planned to be released soon. Then this would be resolved.

3. WAD memory leak issue is still not 100% resolved.

6.2.5 will fix these issues and come out relatively shortly although he couldn't tell me any target date. He recommended to wait for 6.2.5. But likely 6.0.10 comes out before 6.2.5.

 

By the way, FMG/FAZ 6.2.4 was to just fix vulnerabilities. They wanted to release it ASAP without waiting for bug fixes. Then 6.2.5 came out right after that with bug fixes. It was just coincidental they came out one after another.

View solution in original post

Kevin_Shanus

My issue was that I upgraded 200E to 6.2.4 , 80E to 6.2.4 and FAZ to 6.2.5. 

 

6.2.4 has DoS issue which breaks VIPs

6.2.X changes SSL Inspection w/ SSH which broke DUO 2FA for me, fix was easy, had to exclude url from inspection but took a bit to track down

FAZ 6.2.5 had to have some reliability feature turned off to work with <100E Fortigates

 

I also patched about 45 windows servers the same weekend. #neveragain

View solution in original post

74 REPLIES 74
Toshi_Esumi
Esteemed Contributor II

@rpedrica, I think that grey icons are intentional. I thought you meant the entire row was greyed/dimmed out. I have 2.4Ghz disabled on my FAP221B. As the result both R1 and R2 are grey but R2 is dimmed. So if it's not dimmed, it's active.

mjcrevier

If you're having connectivity issues, check if DoS sensor is enabled. If so, disable it completely. That should resolve the issue you're seeing.

 

 

Toshi_Esumi
Esteemed Contributor II

I had a conversation with an FTNT SE today about 6.2.4 problems. The major issues seem to boil down to below three issues:

1. DoS policy issue: It's still an known issue with 6.2.4 and not resolved, which is in the release notes.

2. IPS engine keeps crashing. A new engine is planned to be released soon. Then this would be resolved.

3. WAD memory leak issue is still not 100% resolved.

6.2.5 will fix these issues and come out relatively shortly although he couldn't tell me any target date. He recommended to wait for 6.2.5. But likely 6.0.10 comes out before 6.2.5.

 

By the way, FMG/FAZ 6.2.4 was to just fix vulnerabilities. They wanted to release it ASAP without waiting for bug fixes. Then 6.2.5 came out right after that with bug fixes. It was just coincidental they came out one after another.

Kevin_Shanus

My issue was that I upgraded 200E to 6.2.4 , 80E to 6.2.4 and FAZ to 6.2.5. 

 

6.2.4 has DoS issue which breaks VIPs

6.2.X changes SSL Inspection w/ SSH which broke DUO 2FA for me, fix was easy, had to exclude url from inspection but took a bit to track down

FAZ 6.2.5 had to have some reliability feature turned off to work with <100E Fortigates

 

I also patched about 45 windows servers the same weekend. #neveragain

MikePruett

Kevin Shanus wrote:

My issue was that I upgraded 200E to 6.2.4 , 80E to 6.2.4 and FAZ to 6.2.5. 

 

6.2.4 has DoS issue which breaks VIPs

6.2.X changes SSL Inspection w/ SSH which broke DUO 2FA for me, fix was easy, had to exclude url from inspection but took a bit to track down

FAZ 6.2.5 had to have some reliability feature turned off to work with <100E Fortigates

 

I also patched about 45 windows servers the same weekend. #neveragain

I almost had a stroke reading your comment. Man, that makes for a long weekend.

rpedrica

Kevin Shanus wrote:

My issue was that I upgraded 200E to 6.2.4 , 80E to 6.2.4 and FAZ to 6.2.5. 

 

6.2.4 has DoS issue which breaks VIPs

6.2.X changes SSL Inspection w/ SSH which broke DUO 2FA for me, fix was easy, had to exclude url from inspection but took a bit to track down

FAZ 6.2.5 had to have some reliability feature turned off to work with <100E Fortigates

 

I also patched about 45 windows servers the same weekend. #neveragain

Hi @Kevin Shanus

 

Can you give more specifics about the faz feature that needed to be turned off?

 

Robby

Nicklebon

rpedrica wrote:

Kevin Shanus wrote:

My issue was that I upgraded 200E to 6.2.4 , 80E to 6.2.4 and FAZ to 6.2.5. 

 

6.2.4 has DoS issue which breaks VIPs

6.2.X changes SSL Inspection w/ SSH which broke DUO 2FA for me, fix was easy, had to exclude url from inspection but took a bit to track down

FAZ 6.2.5 had to have some reliability feature turned off to work with <100E Fortigates

 

I also patched about 45 windows servers the same weekend. #neveragain

Hi @Kevin Shanus

 

Can you give more specifics about the faz feature that needed to be turned off?

 

Robby

Second this request. Having a fit ATM trying to track down why logs from a pair of 61Es and a 60F running 6.2.4 sending logs to a FAZ running 6.2.5 are not showing up.

sanderl
New Contributor III

OMG... just was away from home... suddenly no mail on primary mx record... not able to get to webserver, no ssl vpn, nothing...   but some "cloud" device were still available... very strange...   upon reaching home: Everything works fine internally (not sure if other subnets were reachable). DNS not reachable, could not ping default internet gateway, could not ping anything... Rebooted Internet modem: nothing.   Shall it be the FG?   Reboot, gone! I started too google on fortios 6.2.4 and no OMG... this topic, and this topic: https://www.reddit.com/r/fortinet/comments/gm3pn1/dont_use_fortios_624/   Oh Fortinet please help us all. Edit: yes it happened again today. And removing the dos policy resolved this issue at around 45 seconds. Fortinet, take care please!
sanderl
New Contributor III

Ok, so now again trouble after 2 hours of previous post update. Rebooting was only solution. 50% mem and 4% cpu nothing unusual but couldn't have too much downtime... fortinet, please advise!
poundy

sanderl wrote:
Ok, so now again trouble after 2 hours of previous post update. Rebooting was only solution. 50% mem and 4% cpu nothing unusual but couldn't have too much downtime... fortinet, please advise!
Genuine question: is this a supported/monitored forum by FTNT staff, or just happens to be here? 

I think the answer from the community is roll back, and I'd raise a support ticket to TAC so you can get the official answer too.