Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jpveen
New Contributor

Loosing internet connectivity each 3-5 days

hi all,

My Fortigate 60E has a strange issue. Every 3-5 days internal clients cannot reach wan-side applications anymore, and a reboot of the fortigate fixes the issue always.

 

observations:

- ping to public IP's is still possible

- DNS gives timeouts (also from fortigate CLI not able to ping a hostname)

- Ping from internet to the WAN interface is also not replying anymore

- Inbound virtual servers are not reachable anymore

- Inbound IPsec VPN not reachable anymore

- Not any issue visible in event logs (only messages that forticloud cannot be reached)

 

What I did in trying to fix:

- configured SDWAN -> does not help

- configured SDWAN wan-failover -> when the issue occurs the healthcheck still reports wan1 as alive. -> when I switch the inbound internet line to the wan2 port immediately internal users can reach outside internet. When plugging the line back to wan1 the internet is again unreachable, DNS request times out.

 

Configuration:

- Simple setup, multi VLAN on a single physical interface

- Single internet line, no PPPoE, direct IP connection

- For DNS I use Open DNS

- Simple IPsec VPN for remote connectivity

- FortiOS 6.2.4

 

Since when do I have this problem?

- Seems that the issue started 6 weeks ago, after upgrade to 6.2.4.

- At the same time my 3 years support contract expired, so am not able to download new/old fw images... (sorry for that)

- Around the same time my fortiguard licenses expired, but I did not use fortiguard.

 

I captured some CLI output at the moment the issue is active. See attached.

 

Any ideas what could cause this behavior and how to solve?

 

 

8 REPLIES 8
Scott_Seifel
New Contributor

Just upgraded FG-60E from 6.0.10 to 6.2.4 ten days ago (Aug 14 2020), and this issue started occurring.  I will add that IPv6 traffic was routed and processed by the firewall while IPv4 was not.  Rebooting the firewall resolved the issue for only three or so days.  Was going to open a case with Fortinet TAC when FortiOS 6.2.5 was released.  Upgraded to 6.2.5, but had to revert to 6.2.4 within twelve hours because of new issues related to applications being blocked / not loading.

 

Was there a fix to this issue running 6.2.4?

 

 

jpveen

You are just the first one replying to my post. And no I don't have a solution yet. Outbound-DNS connectivity and inbound-virtual-server connectivity drops every 3,5 days and I have to reboot my FGT60E everytime to fix this.

I am still at 6.2.4 and not using IPv6.

bobm
New Contributor III

I have a 100E running 5.6.11, IPv4, and am having the same issue. But only from my Comcast link. SD WAN is configured, and about once a week the Comcast link goes down.  I can still see the modem, but nothing past it. The Consolidated link stays up and running fine. I have also found that rebooting the modem helps, as well as changing the SD-WAN ping target. But only for a few days. We just moved to a new office, so the Comcast is a new account.  And of course they blame the FGT. 

jpveen
New Contributor

In my case almost exactly every 3,5 days connections to the WAN link are lost, see the graph below.

 

Around every 85 hrs.

Strange enough only TCP/UDP seems to be affected, ICMP ping is still working through the WAN port.

I am opening a ticket with TAC now.

 

nsantin
New Contributor III

bobm wrote:

I have a 100E running 5.6.11, IPv4, and am having the same issue. 

 

This is a known issue in 5.6.11 and .12 with the link monitor. Upgrade to 6.0.10, its very stable

https://forum.fortinet.com/tm.aspx?m=182995

https://forum.fortinet.com/tm.aspx?m=178607

 

 

bobm
New Contributor III

OK, thanks for the heads up.  I'll try to get that into the schedule ASAP.

Scott_Seifel

There is a Bug ID (635589) that may resolve the issue.  I have not tested this yet but my 60E does has DOS-Policies.

 

635589    FortiGate    6.2.4    Open          Description     After upgrade from FortiOS 6.2.3 to 6.2.4, DOS-policy causing service interruption. workaround disable DOS-policy * After upgrade from FortiOS 6.2.3 to 6.2.4, the DOS-policy causing service interruption. * If DOS-policy disabled, all traffic starts flowing as expected. Note: No issues were observed on FortiOS 6.2.3, all traffic flowed as expected with DOS-policy.    

 

 

Jose_Wilson

I saw that version 6.2.5 solve this bug.