Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nsantin
New Contributor III

5.6.5 Upgrade, sporadic ERR_CONNECTION_RESET with IPS enabled

Hi, I just upgraded a HA pair of 100D's from 5.2.13 to 5.6.5 and for some reason Im now sporadically getting "ERR_CONNECTION_RESET" browsers errors (chrome) on the initial inbound connections to various web servers (VIP) when I have IPS enabled (tried updating to the built in profiles post upgrade with same issue).

 

Once the site finally loads everything seems to work fine, it just appears to be the initial connection hangs up about 50% of the time. Any ideas? Im not sure if this an issue with the engine, or perhaps and issue with the IPS being offloaded to the slave unit?

 

 

7 REPLIES 7
Hosemacht
Contributor II

Hello there,

 

you should have used the official upgrade path = 5.2.13 -> 5.4.9 -> 5.6.5.

If possible go back to 5.2.13 and then follow the upgrade path.

sudo apt-get-rekt

sudo apt-get-rekt
nsantin
New Contributor III

Yes this is the path I followed, you can't directly go to 5.6.5 from 5.2

Hosemacht

hmm what is the ips engine ver. number?

are you browsing through an ipsec tunnel?

sudo apt-get-rekt

sudo apt-get-rekt
nsantin
New Contributor III

looks like:

IPS Attack Engine Version: 3.00532

AV Engine Version: 5.00361

I've confirmed it's the same on both units.

 

The issues occurs on INBOUND http/https connections from the WAN zone (via VIP), not outbound. 

Hosemacht

witch utm features are enabled?

sudo apt-get-rekt

sudo apt-get-rekt
nsantin
New Contributor III

So I think I may have figured out the issue. It appears that my original customized v5.2 IPS policy which was upgraded may have been causing issues. I created a new policy from scratch and applied it and now it seems to be much more robust and stable. I will continue to monitor. I do have an open ticket with TAC who has identified this same issue with prior builds, just not in 1600 (5.4.5). So I will continue to monitor.

 

 

Hosemacht

nice to hear and thanks for the hint, i have to upgrade one of our older devices soon :)

sudo apt-get-rekt

sudo apt-get-rekt
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors