Connection failure at a particular route

myamazak · ‎04-03-2016

Please help me, I have a problem.

I replaced the FW from RT.

The FW is FG-300D-BDL-US, and FW is HA cluster.

SV3 received files from SV2 by FTP.

First, No problem. But, after 4-5 hours, SV2 cannot send files to SV3.

SV3 received date from SV1, it is no problem.

I have no idea why SV2 cannot send files to SV3 after 4-5 hours.

What would be the cause?

(OLD)

SV1 | ----------------------- NW1 | SV2 RT | | ----------------------- NW2 | RT <-- Replaced | ----------------------- NW3 | SV3

(NEW) SV1 | ----------------------- NW1 | SV2 RT | | ----------------------- NW2 | FW x2 <-- New! | ----------------------- NW3 | SV3

ede_pfau · ‎04-04-2016

hi,

this is very uncommon, to start with.

What version of FortiOS are you running on the cluster?

What does the log say (events, traffic), before and after the blocking?

Ede Kernel panic: Aiee, killing interrupt handler!

myamazak · ‎04-04-2016

Thank you for replayed me. I'm very happy.

Virsion is "v5.2.5,build0701 (GA)"

Error is not output to the log. Blocking log is not exist too.

But, after I replaced the RT from FW, it's no problem.

While the error is out, the log is not output.

I think, to connect again, and there is only a packet capture.

However, because the cause is not known, it is very dangerous.

ede_pfau · ‎04-04-2016

I've got no real idea what is happening.

It might be related to the cluster. Do you have both ports (input and output) connected by switches? Can you fail over the cluster from master to slave without problems?

If the error occurs again in 4-5 hours, I would disconnect the cluster and run only one FGT. This setup is so simple it just has to work.

Consider upgrading to v5.2.7 but do take a backup of the config and read the Release Notes before. As the FGT is out of service right now this might be a good moment.

Ede Kernel panic: Aiee, killing interrupt handler!

myamazak · ‎04-04-2016

I appreciate your answer sincerely.

I tested to fail over the cluster when I repalced FW from RT.

It's no problem, and the log is not output.

The Firewall is coneeced by swtiches.

ede_pfau · ‎04-05-2016

There might be an interaction between the HA traffic and the switches. Some switches cannot handle having 2 identical MAC addresses show up on 2 different ports (FGT1 and FGT2 have both identical MAC addresses on their ports if they form a cluster).

To eliminate the switches, try to run just one FGT, disconnect the other. You don't need to change the config for this.

Ede Kernel panic: Aiee, killing interrupt handler!

myamazak · ‎04-27-2016

I appreciate your answer sincerely.

Yesterday, I've tried to replace the FW from RT again.

First, it was not a problem, after about 2 hours, the phenomenon has been reproduced.

I have to get the packet capture and debug log and checked it.

It was not able to confirm the connection to SV3 from SV2.

Packet of date from SV2 to SV3 was not exist.

I checked FTP log data of SV3. SV2 cannot find SV3, so FTP session was remaining.

I replaced the RT from FW, but SV2 cannot connect SV3 by FTP.

After about 40 minutes, SV2 can connect SV3 by FTP again.

Using RT, this phenomenon does not occur.

It is a mystery.

myamazak · ‎10-05-2016

I tested again without the use of the AntiVirus.

I tested on Single, it is no problem.

I tested on HA cluster, it is no problem.

I tested on Single with the use of the AntiVirus, it is a problem again.

SV2 cannot send jpeg files to SV3.

SV2 cannot find SV3 by FTP connection.

Ping is OK between SV3 with Sv2.

It's no packet capture from SV2 to SV3 on FW.

SV1 | ----------------------- NW1 | SV2 RT | | ----------------------- NW2 | FW (Single) | ----------------------- NW3 | SV3

With the use of the AntiVirus, Problem occurs.

I think that AntiVirus is affecting FTP connection.

Or there is no way that does not affect the FTP connection with the use of the AntiVirus?