.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I tried it with 60D by forgetting about our office 60D policies use a zone that includes a physical interface (non-tagged) and multiple VLAN subinterfaces (tagged) after read through the release notes and noticed the caution "all members of the zone would be dropped". Sure enough it did.
After a TT with TAC and some own tests with another test 60D, I decided going back to 5.4.8 for the office 60D. Because only way to restore the zone (original set of policies) with all members is to remove all VLANs on the physical interface and put the phy interface as a sole member of the zone first. Then you can recreate all VLANs I removed then put them in the zone. Not only DHCP servers but some other widgets monitoring usage need to be removed before I can remove VLANs. In the middle trying this process I gave up and decided to wait the next release, 5.6.5. TAC gave me the bug ID but it's not in the "known issues" list in the release notes.
Hi Bruno,
I am not able to reproduce your issue on "FortiGate-600D v5.6.4,build1575,180425 (GA)", tunnel mode with FCT 5.4.2 0860 on win10. So any particular configuration you have and how did you trigger this issue?
Thanks.
Hello!
My conf:
config vpn ssl settings set reqclientcert disable set tlsv1-0 disable set tlsv1-1 disable set tlsv1-2 enable unset banned-cipher set ssl-big-buffer disable set ssl-insert-empty-fragment enable set https-redirect enable set ssl-client-renegotiation disable set force-two-factor-auth disable set servercertxxxx set algorithm high set idle-timeout 900 set auth-timeout 28800 set login-attempt-limit 2 set login-block-time 60 set login-timeout 30 set dtls-hello-timeout 60 set tunnel-ip-pools "VPN_SSL_Test" and others set dns-suffix xxxx set dns-server1 xxxx set dns-server2 xxxx set wins-server1 0.0.0.0 set wins-server2 0.0.0.0 set ipv6-dns-server1 :: set ipv6-dns-server2 :: set ipv6-wins-server1 :: set ipv6-wins-server2 :: set route-source-interface enable set url-obscuration disable set http-compression disable set http-only-cookie enable set port 443 set port-precedence enable set auto-tunnel-static-route enable set header-x-forwarded-for add set source-interface xxxx set source-address xxx set source-address-negate disable set source-address6-negate disable set default-portal "WEB" config authentication-rule edit xxx set groups "VPN_Test" set portal "VPN_Test" set realm '' set client-cert disable set cipher high set auth any next set dtls-tunnel enable set check-referer enable set http-request-header-timeout 20 set http-request-body-timeout 30
Sorry, I copied your setting but still not able to reproduce, I guess it's related to other configurations. Below is my ssl vpn setting. I tested with ping/telnet/http/https in tunnel mode, no crash was observed.
Regards
===
config vpn ssl settings set reqclientcert disable set tlsv1-0 disable set tlsv1-1 disable set tlsv1-2 enable unset banned-cipher set ssl-big-buffer disable set ssl-insert-empty-fragment enable set https-redirect enable set ssl-client-renegotiation disable set force-two-factor-auth disable set servercert "Fortinet_Factory" set algorithm high set idle-timeout 900 set auth-timeout 28800 set login-attempt-limit 2 set login-block-time 60 set login-timeout 30 set dtls-hello-timeout 60 set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" set dns-suffix '' set dns-server1 172.16.95.16 set dns-server2 8.8.8.8 set wins-server1 0.0.0.0 set wins-server2 0.0.0.0 set ipv6-dns-server1 :: set ipv6-dns-server2 :: set ipv6-wins-server1 :: set ipv6-wins-server2 :: set route-source-interface enable set url-obscuration disable set http-compression disable set http-only-cookie enable set port 10443 set port-precedence enable set auto-tunnel-static-route enable set header-x-forwarded-for add set source-interface "port9" set source-address "all" set source-address-negate disable set source-address6 "all" set source-address6-negate disable set default-portal "web-access" config authentication-rule edit 1 set groups "kg" set portal "full-access" set realm '' set client-cert disable set cipher high set auth any next end set dtls-tunnel enable set check-referer enable set http-request-header-timeout 20 set http-request-body-timeout 30 end
===
Anything in portal setting? And did you enable host-check-software?
No.
My portal:
set tunnel-mode enable
set ipv6-tunnel-mode disable
set web-mode enable
set host-check none
set limit-user-logins enable
set mac-addr-check disable
set os-check disable
set forticlient-download enable
set ip-mode range
set auto-connect disable
set keep-alive disable
set save-password disable
set ip-pools "x"
set split-tunneling enable
set split-tunneling-routing-address "x" "x" "x"
set dns-server1 0.0.0.0
set dns-server2 0.0.0.0
set dns-suffix "x"
set wins-server1 0.0.0.0
set wins-server2 0.0.0.0
set display-bookmark enable
--More-- set user-bookmark disable
set user-group-bookmark enable
config bookmark-group
set display-connection-tools enable
set display-history disable
set display-status enable
set heading "xq"
set redir-url ''
set theme blue
set custom-lang ''
set smb-ntlmv1-auth disable
set forticlient-download-method direct
set customize-forticlient-download-url disable
Have tried, but still no luck. As you mentioned it occurred occasionally, I will give more test. Thanks.
kurtli_FTNT wrote:Hello,Have tried, but still no luck. As you mentioned it occurred occasionally, I will give more test. Thanks.
You can test web mode also?
Hello,
We are experiencing the SSLVPN signal 11 segmentation fault on FortiGate 600D version 5.6.2 also:
3273: 2018-03-23 12:11:09 <00237> firmware FortiGate-600D v5.6.2,build1486b1486,170816 (GA) (Release) 3274: 2018-03-23 12:11:09 <00237> application sslvpnd 3275: 2018-03-23 12:11:09 <00237> *** signal 11 (Segmentation fault) received *** 3276: 2018-03-23 12:11:09 <00237> Register dump: 3277: 2018-03-23 12:11:09 <00237> RAX: 0000000000000044 RBX: 00007fd639a00018 3278: 2018-03-23 12:11:09 <00237> RCX: 000000000000342d RDX: 00007fd639810100 3279: 2018-03-23 12:11:09 <00237> R8: 00007fd639bfe000 R9: 00007fffb764d710 3280: 2018-03-23 12:11:09 <00237> R10: 0000000000000000 R11: 0000000000000017 3281: 2018-03-23 12:11:09 <00237> R12: 00007fd63980f000 R13: 00007fd63980f698 3282: 2018-03-23 12:11:09 <00237> R14: 00007fd639813ca8 R15: 0000000000000002 3283: 2018-03-23 12:11:09 <00237> RSI: 00007fd639a00018 RDI: 00007fd639810058 3284: 2018-03-23 12:11:09 <00237> RBP: 00007fffb764d8b0 RSP: 00007fffb764d888 3285: 2018-03-23 12:11:09 <00237> RIP: 0000000000000000 EFLAGS: 0000000000010206 3286: 2018-03-23 12:11:09 <00237> CS: 0033 FS: 0000 GS: 0000 3287: 2018-03-23 12:11:09 <00237> Trap: 000000000000000e Error: 0000000000000014 3288: 2018-03-23 12:11:09 <00237> OldMask: 0000000000000000 3289: 2018-03-23 12:11:09 <00237> CR2: 0000000000000000 3290: 2018-03-23 12:11:09 <00237> Backtrace: 3291: 2018-03-23 12:11:09 <00237> [0x00000000] 3292: 2018-03-23 12:11:09 <00237> [0x012864df] => /bin/sslvpnd 3293: 2018-03-23 12:11:09 <00237> [0x012e5f44] => /bin/sslvpnd 3294: 2018-03-23 12:11:09 <00237> [0x012e643b] => /bin/sslvpnd 3295: 2018-03-23 12:11:09 <00237> [0x012e73ef] => /bin/sslvpnd 3296: 2018-03-23 12:11:09 <00237> [0x012e849d] => /bin/sslvpnd 3297: 2018-03-23 12:11:09 <00237> [0x012e872b] => /bin/sslvpnd 3298: 2018-03-23 12:11:09 <00237> [0x012e8c72] => /bin/sslvpnd 3299: 2018-03-23 12:11:09 <00237> [0x0042a4e0] => /bin/sslvpnd 3300: 2018-03-23 12:11:09 <00237> [0x00430bc4] => /bin/sslvpnd 3301: 2018-03-23 12:11:09 <00237> [0x0042e11c] => /bin/sslvpnd 3302: 2018-03-23 12:11:09 <00237> [0x0042fe31] => /bin/sslvpnd 3303: 2018-03-23 12:11:09 <00237> [0x00430771] => /bin/sslvpnd 3304: 2018-03-23 12:11:09 <00237> [0x7fd63dbea475] => /fortidev4-x86_64/lib/libc.so.6 3305: 2018-03-23 12:11:09 (__libc_start_main+0x000000f5) liboffset 00021475 Crash log interval is 3600 seconds sslvpnd crashed 3 times. The lastest crash was at 2018-03-23 13:11:09
It seems that the problem is present on FortiGate 500E version 5.6.3 also:
292: 2018-04-24 09:20:00 sslvpnd crashed 7 times. The last crash was at 2018-04-24 08:20:00 293: 2018-04-24 09:20:00 <18332> firmware FortiGate-500E v5.6.3,build1547b1547,171204 (GA) (Release) 294: 2018-04-24 09:20:00 <18332> application sslvpnd 295: 2018-04-24 09:20:00 <18332> *** signal 11 (Segmentation fault) received *** 296: 2018-04-24 09:20:00 <18332> Register dump: 297: 2018-04-24 09:20:00 <18332> RAX: 0000000000000044 RBX: 00007fb478d6d018 298: 2018-04-24 09:20:00 <18332> RCX: 0000000000003485 RDX: 00007fb478d57500 299: 2018-04-24 09:20:00 <18332> R8: 00007fb478068000 R9: 00007fff13584520 300: 2018-04-24 09:20:00 <18332> R10: 0000000000000000 R11: 0000000000000016 301: 2018-04-24 09:20:00 <18332> R12: 00007fb478d56400 R13: 00007fb478d56a98 302: 2018-04-24 09:20:00 <18332> R14: 00007fb478d5bca8 R15: 0000000000000002 303: 2018-04-24 09:20:00 <18332> RSI: 00007fb478d6d018 RDI: 00007fb478d57458 304: 2018-04-24 09:20:00 <18332> RBP: 00007fff135846c0 RSP: 00007fff13584698 305: 2018-04-24 09:20:00 <18332> RIP: 0000000000000000 EFLAGS: 0000000000010206 306: 2018-04-24 09:20:00 <18332> CS: 0033 FS: 0000 GS: 0000 307: 2018-04-24 09:20:00 <18332> Trap: 000000000000000e Error: 0000000000000014 308: 2018-04-24 09:20:00 <18332> OldMask: 0000000000000000 309: 2018-04-24 09:20:00 <18332> CR2: 0000000000000000 310: 2018-04-24 09:20:00 <18332> Backtrace: 311: 2018-04-24 09:20:00 <18332> [0x00000000] 312: 2018-04-24 09:20:00 <18332> [0x0120b84f] => /bin/sslvpnd 313: 2018-04-24 09:20:00 <18332> [0x0126c274] => /bin/sslvpnd 314: 2018-04-24 09:20:00 <18332> [0x0126c76b] => /bin/sslvpnd 315: 2018-04-24 09:20:00 <18332> [0x0126d70f] => /bin/sslvpnd 316: 2018-04-24 09:20:00 <18332> [0x0126e7bd] => /bin/sslvpnd 317: 2018-04-24 09:20:00 <18332> [0x0126ea4b] => /bin/sslvpnd 318: 2018-04-24 09:20:00 <18332> [0x0126f684] => /bin/sslvpnd 319: 2018-04-24 09:20:00 <18332> [0x0042af20] => /bin/sslvpnd 320: 2018-04-24 09:20:00 <18332> [0x00431654] => /bin/sslvpnd 321: 2018-04-24 09:20:00 <18332> [0x0042eb5c] => /bin/sslvpnd 322: 2018-04-24 09:20:00 <18332> [0x00430851] => /bin/sslvpnd 323: 2018-04-24 09:20:00 <18332> [0x004311f9] => /bin/sslvpnd 324: 2018-04-24 09:20:00 <18332> [0x7fb47d5e6475] => /fortidev4-x86_64/lib/libc.so.6 325: 2018-04-24 09:20:00 (__libc_start_main+0x000000f5) liboffset 00021475
AtiT
I have a dream that one day Fortinet will release a version with the least awful bugs. I had to upgrade due to crash in ips engine, wad and was and now the crash passed to vpnssl.
Support today:
Good Afternoon, The case is being reported, I will let you know as soon as I have further information.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.