tanr
Valued Contributor II
3 Solutions
mjcrevier

If you're having connectivity issues, check if DoS sensor is enabled. If so, disable it completely. That should resolve the issue you're seeing.

 

 

View solution in original post

Toshi_Esumi
Esteemed Contributor II

I had a conversation with an FTNT SE today about 6.2.4 problems. The major issues seem to boil down to below three issues:

1. DoS policy issue: It's still an known issue with 6.2.4 and not resolved, which is in the release notes.

2. IPS engine keeps crashing. A new engine is planned to be released soon. Then this would be resolved.

3. WAD memory leak issue is still not 100% resolved.

6.2.5 will fix these issues and come out relatively shortly although he couldn't tell me any target date. He recommended to wait for 6.2.5. But likely 6.0.10 comes out before 6.2.5.

 

By the way, FMG/FAZ 6.2.4 was to just fix vulnerabilities. They wanted to release it ASAP without waiting for bug fixes. Then 6.2.5 came out right after that with bug fixes. It was just coincidental they came out one after another.

View solution in original post

Kevin_Shanus

My issue was that I upgraded 200E to 6.2.4 , 80E to 6.2.4 and FAZ to 6.2.5. 

 

6.2.4 has DoS issue which breaks VIPs

6.2.X changes SSL Inspection w/ SSH which broke DUO 2FA for me, fix was easy, had to exclude url from inspection but took a bit to track down

FAZ 6.2.5 had to have some reliability feature turned off to work with <100E Fortigates

 

I also patched about 45 windows servers the same weekend. #neveragain

View solution in original post

74 REPLIES 74
Toshi_Esumi
Esteemed Contributor II

Does anybody else have VIP still working fine with 6.2.4? Or tried debugging after it broke to see exactly what's happening? I'm thinking it might be conditional, then want to know the conditions if that's the case. I upgraded my 50E yesterday and so far working fine, including SIP just going over NAT. I have session helpers/ALGs disabled for long time but I don't have any VIPs to field-test with.

visk
New Contributor III

No problems with VIP on 60F, 50E and 100D for this moment (60F upgraded yeterday, 50E and 100D few hours ago).

TheJaeene

Attention! 

 

Had strange Problems on a 61E after Upgrading to 6.2.4.

Dialup VPN stopped working completely after 8 Hours Uptime

and some Site2Site VPNS did not pass TCP and ICMP Traffic anymore.

Remote Traffic entered the Tunnel-Interface but was not passed along.

diag debug flow just stated that a session was generated and thats it....No further packet flow was seen!

 

Reverted back to 6.2.3

 

Hey Fortinet, shame on you: I think now it´s about time for a free 1Y Fortiguard Subscription for my expired LAB FGT ;)

visk
New Contributor III

jkassner wrote:

Attention! 

 

Had strange Problems on a 61E after Upgrading to 6.2.4.

Dialup VPN stopped working completely after 8 Hours Uptime

and some Site2Site VPNS did not pass TCP and ICMP Traffic anymore.

Remote Traffic entered the Tunnel-Interface but was not passed along.

diag debug flow just stated that a session was generated and thats it....No further packet flow was seen!

 

Reverted back to 6.2.3

 

Hey Fortinet, shame on you: I think now it´s about time for a free 1Y Fortiguard Subscription for my expired LAB FGT ;)

Thank you for the response. You have upgraded cluster FG-61E or standalone? I think about HA cluster A-P upgrade  FG-61E on this weekend. There no SSLVPN, but few VPN are active there. VPN's should be work cause of business financial reasons. 

TheJaeene

Hi Visk,

 

luckily it was a not so important standalone Box, no cluster.

 

After 8 Hours Uptime DialupVPN´s stopped working (no response to IKE at all) and some Site2Site VPNs stopped working, not  passing TCP and ICMP traffic in the incoming direction. Strangely UDP traffic was still working fine.

I cannot confirm 100% but I think at least in my case these were IPSEC tunnels with OSPF propagated routes.

 

I would stay away from updating  6.2.4 on productive boxes right now.

visk
New Contributor III

TheJaeene thank you for info. I will try to upgrade some Fortigate models in few next days. Later will back here to give feedback about FortiOS 6.2.4.

 

 

 

Toshi_Esumi
Esteemed Contributor II

Also did anyone else notice GUI is slower ("circling" a while when dig into deeper)? It maybe because my 50E is not so powerful. But I didn't notice it when it was running 6.0.9. I saw a similar comment at Reddit as well.

Phuoc_Ngo

First time running into this kinda of firmware bugs.  It caused 10 of our sites to goes down at once.  We are running on 601E and 60E devices.  Still trying to chase sporadic VPN issue and VOIP issue.

TheJaeene

Phuoc Ngo wrote:

First time running into this kinda of firmware bugs.  It caused 10 of our sites to goes down at once.  We are running on 601E and 60E devices.  Still trying to chase sporadic VPN issue and VOIP issue.

 Im 100% with you on that. Never had these kind of severe Bugs, not even on a Major Release Upgrade.

 

Would be interesting to know if the VPN issues are related to SOC3 Boxes, since you are also using 60E´s.

In my case SIP call setup worked in one direction (Party behind 60E establishes a call) and RTP (UDP) traffic was fine in both directions. The other way around (Party behind 60E was called) the Call setup (TCP!) failed and so no RTP connection was established.

 

visk
New Contributor III

Be careful with 6.2.4. Two days ago upgraded 60F to 6.2.4 - yestarday first issue with some VPN's. Yesterday also upgraded 100D to 6.2.4, and this morning problem with VPN in debug i see: 101:Network is unreachable. But network and other VPN sides are reachable...