Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kubimike
New Contributor III

6.2.3 Flop

I have two problems going on that can't seem to get solved. One is the HA cluster breaks randomly where the two devices no longer talk but are sending messages to each other. No switch in between if you're wondering. Direct cable. I was told this is an problem with the code and my chipset ? This is a A-A cluster. Ticket # 3877503.

 

The other issue Im facing is IPS crashed yesterday, seeing a IPSA driver status error over and over, it took Transparent Proxy along with it. No web browsing. I turned off the proxy settings on my outbound policy to allow my users to browse the web again. After hours I rebooted the firewall cluster and re-applied the Proxy settings back to the Outbound rule. SSL inspection no longer works. DIAG WAD USER LIST is blank/empty. TAC is at a loss as to why its now not working as before. As I sit, no deep inspection at the moment. Ticket # 3888909

 

Upgrading from 6.0.8 to 6.2.3 was the worst mistake. Anyone else have these type of issues or can provide any insight ? My gear is 100e's

3 REPLIES 3
zballa
New Contributor

I agree with you, kubimike, they should not have released 6.2.3. I have issues and techsupport does not seem to be able to fix it. One of my issue is that the GUI quit on me after about three hours no matter if I work on anything or my connection is idle. The timeout set to 480 minutes, but it does not seem to work. I use 61Es, 60Es, and now a 61F. The 61E and the 61F are running 6.2.3 and have issues, like when I got this on the 61F while I worked at the CLI:

upd_cfg_get_host6_by_name[116]-Failed to get ipv6 address for update.fortiguard.net

 

And this:

[__cmdb_config_write_by_fname:151] fopen(/tmp/cmdb_whole_offload.conf) failed: 2(No such file or directory)

 

 

kubimike
New Contributor III

zballa wrote:

I agree with you, kubimike, they should not have released 6.2.3. I have issues and techsupport does not seem to be able to fix it. One of my issue is that the GUI quit on me after about three hours no matter if I work on anything or my connection is idle. The timeout set to 480 minutes, but it does not seem to work. I use 61Es, 60Es, and now a 61F. The 61E and the 61F are running 6.2.3 and have issues, like when I got this on the 61F while I worked at the CLI:

upd_cfg_get_host6_by_name[116]-Failed to get ipv6 address for update.fortiguard.net

 

And this:

[__cmdb_config_write_by_fname:151] fopen(/tmp/cmdb_whole_offload.conf) failed: 2(No such file or directory)

 

 

By chance are you using set  cfg-revert-timeout ?

kubimike
New Contributor III

Well , I figured it out . Bathroom relaxation trip later Transparent Proxy back online! 

 

Findings/What happened/The Fix

 

When IPSmonitor / IPSA driver crashed it took Transparent Proxy along with it. No web browsing. I edited the IPV4 Policy for Outbound Internet, turned off the proxy settings made it Flow-Based to allow my users to browse the web again. After hours I rebooted the firewall cluster and re-applied the Proxy settings back to the Outbound rule (Proxy-based Back ON Protocol Options set back to MIA-Proxy). SSL inspection no longer worked. DIAG WAD USER LIST is blank/empty. What caused this was editing the policy to Flow-Based, it removed a VERY important entry. 'Set http-policy-redirect enable' This feature should have not been moved to the IPV4 section. In Version 6.0.x it was in Policy & Objects -Proxy Options - Custom Proxy - 'Http Policy Redirect' Radio button. That way if IPV4 is changed to accommodate for a failure in the Transparent Proxy the feature is left on/unchanged and not removed. I've attached screenshots for you to see. This should most def be patched on the next release, move the option back to Policy & Objects -Proxy Options - 'Http Policy Redirect'

 

 

 

Labels
Top Kudoed Authors