Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

FG-60 Stops Passing Traffic

I' m at my wits end and I' m hoping you guys can help out with a problem that I' ve got. We have deployed a couple of FG-60s and are now having problems with the devices. The first sign of trouble was when a client complained of not having Internet access (port 80). We were running MR-6 at the time. If I reset the device traffic would start to flow again. After this happened a couple of time, I called the support number for assistance. I was asked to upgrade to MR-7 which I did. We then started having occasional problems at the same client with POP3 access. Again, a reset on the device cleared the matter. Today, we experienced problems at our colo site (big problems here) with accepting POP3 traffice on an FG-60 with MR-6 installed. It' s not like we' re lighting up the devices with activity but I cannot continue resetting the devices to get things going again. It appears that the device just stops accepting/forwarding traffic. Does anyone have any ideas abou what' s happening?? I' m ready to pull the devices and install something that won' t fail in this manner. Any help is appreciated.
35 REPLIES 35
Not applicable

From what I understand is that this problem may be due to Memory / CPU usage... The FG200 has a 20GB hard drive and greater connection capacity... I wouldn’t say that I have confidence in upgrading to the FG200 but I would like to believe that doing so will cure the problem. (I’m not religious but I am praying) NIDS & Anti virus is important and I must have them both running. I have on average 6000 hits per hour on my main web server & forward around 5500 emails per day through any one of three SMTP servers. We have around 1000 clients who use short TCP connections (300 Bytes) connecting every 240 seconds to some custom software. It seems that the above is just too much for the FG-60 causing an average 75% memory & CPU load. Switching off the NIDS or Anti virus is not really an option (Although I still intend to run additional anti virus internally) Regards, Kevin...
Not applicable

I don' t have nearly the traffic that you do. I have two mail servers behind the firewall with a total of maybe 50 users. We host some web sites but I wouldn' t say we' re getting more than a ew hundred hits per day. And yet, we still are having problems. I' m very interested in whether your move to a 200 will solve the problem or simply move it out. Did Fortinet recommend the upgrade or was that a conclusion that you had come to based upon past experience? Please keep us posted as to your progress. For me, I' m still working with Fortinet to resolve this issue.
Not applicable

Hi John, No this was not a recommendation from FortiNet. I was originally looking at the FG400 as this fits our requirement, however it is a bit pricy at over £5000. The FG200 was my next choice but this has only 3 Network connections. The FG60 has 4 network connections and looked on paper as if it would do the job. I can’t afford to bye a FG400 at the moment and with only 3 network connections on the FG200 I decided to go for the FG60. It looks like this was a bad move and so upgrading to the FG200 is the next best thing. By adding a small NAT router to the internal network on the FG200 I can achieve the 4 networks I require. I am hopeful that the greater memory & CPU capacity of the FG200 will cure the problems. Looking at the content of the forums here the loss of service problem seems to be more of an issue on the FG50 / 60 units. Regards, Kevin… PS. New FG200 has not arrived yet
Alex_Libenson

Kevin, with latest builds of FortiOS 2.5 you can use 802.1q VLANs to creat more interfaces. Just attach an 802.1q enabled switch to it. Alex.

Thanks for that... I have 2 3Com units here looking for the manuals (no chance)… Regards, Kevin…

Hi Kevin In general, I would size you higher than the FG-200 for the traffic, amount of users and required applications (AV and NIDS). With room for expansion, the FG-400 would be the choice in my opinion. Fortinet does not have performance sizing tools, but I should say that with traffic prioritisation you can also work the HTTP requests up and perhaps slow down the SMTP traffic. Users wont notice a 2 second delay on SMTP. We have had issues in terms of performance with MR7. Dont have so much time, but will get back and have loads of time ;o) Best regards Soeren
Not applicable

I have a 400 and have noticed those same problems just today after messign around with remote ipsec dial up users, the box had been up for almost 10 days, I have had to reboot it 3 times alone today to get http running again even though all the rest of the protocols continued to work, I don' t think upgrading to something bigger is any better, i am running 2.5 with mr7
Alex_Libenson

Hmmm... FG-200 have more power, but I would not be surprised if FortiNet will End of Life FG-100 and 200 in addition to FG-50 this year. Alex.
Not applicable

40-gaters, this is bad, bad news for me. I experienced that problem since december 2003 with a FGT-50R and was suggested to do a boot media format. After that, the problem' s temporarily gone, but other problems occured. MR6, not higher, not even tried MR7. And I was told the memory on the FGT-50 is much more limited on FW 2.50 as it was on 2.36. And possibly no 2.80 Ok, I decided to move to a FGT-60, but now...... What' s the right way if we don' t have the money|need for a FGT-200? What if only 2-4 users are behind the wall and the main purpose is to have NIDS and AV running, along with VPN and a few policies? I have been that happy when I first get my FGT-50 - and now all enthusiasm has been gone, along with the reliability.... Bad bad news today.... Michael
Not applicable

Michael, Whats the amount of users etc. that you are having behind the FG environment and what applications are you looking at running on the FG? We have some 50 FG50 & FG60 running in all kinds of configs and I could give you a rule of thumb before your bad bad day goes bad bad bad
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors