Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Carl_Wallmark
Valued Contributor

FortiOS 4.3.2 is out

.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
39 REPLIES 39
Remko_Oude_Elferink

We have 2 firewall clusters running on Version 4 MR2 P8. According support this was the latest most stable version, but we have some issues with VPN portals that users cannot login.. I see some fixes in the release notes but i' m not sure if we should upgrade or not.. How do you think.. Is it worth upgrading to MR3 P2??
Carl_Wallmark
Valued Contributor

What issues do you have ? the MR2 P8 is very stable. if you need a stable firmware then go with MR2 P8. If you think MR3 P2 will solve your SSLVPN problems then go with that, just remember its not as stable as the MR2, you could get other issues.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Phuoc_Ngo
New Contributor

I would recommend against going to MR3 patch2. We upgraded our 310B devices to MR3 patch 2 last week, and we experience intermittence SSL and IPSec connection issue. The issue occurred randomly to users. Every time a user attempted to connect to SSL VPN, somehow the firewall not able to find correct policy for the traffic " no match policy found" . In turn, the firewall drop the traffic in the bucket while two other users connect to the same SSL VPN web link and they connected successfully. Same things happen to IPSec VPN, some user are not able to communicate to the VPN gateway " Gateway not reachable" . User have full internet and was able to connect through IPSec the previous day. One more event we encounter is that the devices goes on conserve mode sporadically.
p768
New Contributor

I attempted to upgrade my 60B, but it would not reboot. Needed to be formatted and reload via tftp. I have since downgraded to 4.00 mr2 p8
Remko_Oude_Elferink

I have the same problems with SSL VPN as you (Phuoc Ngo). Also get the error " No Matching Policy" But i' m still on MR2 P6 (400a) and P2 (500a). both firewalls has the same issue.. Support can' t find the problem either.. Do you have an idea what the problem can be? Just upgraded the 400a and the 500a to MR2 P8 see what happens.
Paul_Dean

Remko, when you see the error message " no_matching_policy" what other information is displayed? For example, I can see in my logs: reason=" no_matching_policy" msg=" SSL user failed to logged in" action=ssl-login-fail This is because I typed the password incorrectly. What msg do you see? Paul
NSE4
NSE4
Phuoc_Ngo
New Contributor

Our issue is caused by Microsoft patches. After our users apply the this month Microsoft patches, somehow mysteriously broke both SSL and IPSec. After they roll back the patches, VPN work like a charm. Currently, we are still trying to identify the patch(es) that cause the issue.
Phuoc_Ngo
New Contributor

For the system conserve mode issue on 4.3.2 for 310B devices, we notice whenever we attempted to view the UTM monitor (graphic) tab, the system goes into conserve mode for a few second.
Carl_Wallmark
Valued Contributor

For the system conserve mode issue on 4.3.2 for 310B devices, we notice whenever we attempted to view the UTM monitor (graphic) tab, the system goes into conserve mode for a few second.
i got the exact same problem with smaller units like the 100A

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Phuoc_Ngo
New Contributor

Another issue we encountered in this release is quotas block page appear on the categories that does not have quotas enable. We went through the profiles configuration and categories configuration and check for quota setting but none can be found. That' s pretty odd..still scratch my head on this issue.
Labels
Top Kudoed Authors