Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Carl_Wallmark
Valued Contributor

FortiOS 5.6.4 is out.

.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
1 Solution
Toshi_Esumi
Esteemed Contributor III

I tried it with 60D by forgetting about our office 60D policies use a zone that includes a physical interface (non-tagged) and multiple VLAN subinterfaces (tagged) after read through the release notes and noticed the caution "all members of the zone would be dropped". Sure enough it did.

After a TT with TAC and some own tests with another test 60D, I decided going back to 5.4.8 for the office 60D. Because only way to restore the zone (original set of policies) with all members is to remove all VLANs on the physical interface and put the phy interface as a sole member of the zone first. Then you can recreate all VLANs I removed then put them in the zone. Not only DHCP servers but some other widgets monitoring usage need to be removed before I can remove VLANs. In the middle trying this process I gave up and decided to wait the next release, 5.6.5. TAC gave me the bug ID but it's not in the "known issues" list in the release notes.

View solution in original post

40 REPLIES 40
kurtli_FTNT

Hi Bruno,

    I am not able to reproduce your issue on "FortiGate-600D v5.6.4,build1575,180425 (GA)", tunnel mode with FCT 5.4.2 0860 on win10. So any particular configuration you have and how did you trigger this issue?

 

 

Thanks.

Bruno_Pereira

Hello!

 

My conf:

 

config vpn ssl settings     set reqclientcert disable     set tlsv1-0 disable     set tlsv1-1 disable     set tlsv1-2 enable     unset banned-cipher     set ssl-big-buffer disable     set ssl-insert-empty-fragment enable     set https-redirect enable     set ssl-client-renegotiation disable     set force-two-factor-auth disable     set servercertxxxx     set algorithm high     set idle-timeout 900     set auth-timeout 28800     set login-attempt-limit 2     set login-block-time 60     set login-timeout 30     set dtls-hello-timeout 60     set tunnel-ip-pools "VPN_SSL_Test" and others     set dns-suffix xxxx     set dns-server1 xxxx     set dns-server2 xxxx     set wins-server1 0.0.0.0     set wins-server2 0.0.0.0     set ipv6-dns-server1 ::     set ipv6-dns-server2 ::     set ipv6-wins-server1 ::     set ipv6-wins-server2 ::     set route-source-interface enable     set url-obscuration disable     set http-compression disable     set http-only-cookie enable     set port 443     set port-precedence enable     set auto-tunnel-static-route enable     set header-x-forwarded-for add     set source-interface xxxx     set source-address xxx     set source-address-negate disable     set source-address6-negate disable     set default-portal "WEB"     config authentication-rule       edit xxx             set groups "VPN_Test"             set portal "VPN_Test"             set realm ''             set client-cert disable             set cipher high             set auth any         next  set dtls-tunnel enable  set check-referer enable  set http-request-header-timeout 20  set http-request-body-timeout 30

 

kurtli_FTNT

Sorry, I copied your setting but still not able to reproduce, I guess it's related to other configurations. Below is my ssl vpn setting. I tested with ping/telnet/http/https in tunnel mode, no crash was observed. 

 

Regards

===

config vpn ssl settings set reqclientcert disable set tlsv1-0 disable set tlsv1-1 disable set tlsv1-2 enable unset banned-cipher set ssl-big-buffer disable set ssl-insert-empty-fragment enable set https-redirect enable set ssl-client-renegotiation disable set force-two-factor-auth disable set servercert "Fortinet_Factory" set algorithm high set idle-timeout 900 set auth-timeout 28800 set login-attempt-limit 2 set login-block-time 60 set login-timeout 30 set dtls-hello-timeout 60 set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" set dns-suffix '' set dns-server1 172.16.95.16 set dns-server2 8.8.8.8 set wins-server1 0.0.0.0 set wins-server2 0.0.0.0 set ipv6-dns-server1 :: set ipv6-dns-server2 :: set ipv6-wins-server1 :: set ipv6-wins-server2 :: set route-source-interface enable set url-obscuration disable set http-compression disable set http-only-cookie enable set port 10443 set port-precedence enable set auto-tunnel-static-route enable set header-x-forwarded-for add set source-interface "port9" set source-address "all" set source-address-negate disable set source-address6 "all" set source-address6-negate disable set default-portal "web-access" config authentication-rule edit 1 set groups "kg" set portal "full-access" set realm '' set client-cert disable set cipher high set auth any next end set dtls-tunnel enable set check-referer enable set http-request-header-timeout 20 set http-request-body-timeout 30 end

===

Bruno_Pereira

Thanks for your help!

 

According to the image, falls occur at random times:

ps: I have on average 50 to 86 users connected daily.

What other configuration could interfere with SSL VPN?

 

 

kurtli_FTNT

Anything in portal setting? And did you enable host-check-software?

 

Bruno_Pereira

No.

My portal:

 

        set tunnel-mode enable
        set ipv6-tunnel-mode disable
        set web-mode enable
        set host-check none
        set limit-user-logins enable
        set mac-addr-check disable
        set os-check disable
        set forticlient-download enable
        set ip-mode range
        set auto-connect disable
        set keep-alive disable
        set save-password disable
        set ip-pools "x"
        set split-tunneling enable
        set split-tunneling-routing-address "x" "x" "x"
        set dns-server1 0.0.0.0
        set dns-server2 0.0.0.0
        set dns-suffix "x"
        set wins-server1 0.0.0.0
        set wins-server2 0.0.0.0
        set display-bookmark enable
--More--                  set user-bookmark disable
        set user-group-bookmark enable
        config bookmark-group
        set display-connection-tools enable
        set display-history disable
        set display-status enable
        set heading "xq"
        set redir-url ''
        set theme blue
        set custom-lang ''
        set smb-ntlmv1-auth disable
        set forticlient-download-method direct
        set customize-forticlient-download-url disable
kurtli_FTNT

Have tried, but still no luck. As you mentioned it occurred occasionally, I will give more test. Thanks.

 

Bruno_Pereira

kurtli_FTNT wrote:

Have tried, but still no luck. As you mentioned it occurred occasionally, I will give more test. Thanks.

 

Hello,

You can test web mode also?

AtiT
Valued Contributor

Hello,

We are experiencing the SSLVPN  signal 11 segmentation fault on FortiGate 600D version 5.6.2 also:

3273: 2018-03-23 12:11:09 <00237> firmware FortiGate-600D v5.6.2,build1486b1486,170816 (GA) (Release) 3274: 2018-03-23 12:11:09 <00237> application sslvpnd 3275: 2018-03-23 12:11:09 <00237> *** signal 11 (Segmentation fault) received *** 3276: 2018-03-23 12:11:09 <00237> Register dump: 3277: 2018-03-23 12:11:09 <00237> RAX: 0000000000000044 RBX: 00007fd639a00018 3278: 2018-03-23 12:11:09 <00237> RCX: 000000000000342d RDX: 00007fd639810100 3279: 2018-03-23 12:11:09 <00237> R8: 00007fd639bfe000 R9: 00007fffb764d710 3280: 2018-03-23 12:11:09 <00237> R10: 0000000000000000 R11: 0000000000000017 3281: 2018-03-23 12:11:09 <00237> R12: 00007fd63980f000 R13: 00007fd63980f698 3282: 2018-03-23 12:11:09 <00237> R14: 00007fd639813ca8 R15: 0000000000000002 3283: 2018-03-23 12:11:09 <00237> RSI: 00007fd639a00018 RDI: 00007fd639810058 3284: 2018-03-23 12:11:09 <00237> RBP: 00007fffb764d8b0 RSP: 00007fffb764d888 3285: 2018-03-23 12:11:09 <00237> RIP: 0000000000000000 EFLAGS: 0000000000010206 3286: 2018-03-23 12:11:09 <00237> CS: 0033 FS: 0000 GS: 0000 3287: 2018-03-23 12:11:09 <00237> Trap: 000000000000000e Error: 0000000000000014 3288: 2018-03-23 12:11:09 <00237> OldMask: 0000000000000000 3289: 2018-03-23 12:11:09 <00237> CR2: 0000000000000000 3290: 2018-03-23 12:11:09 <00237> Backtrace: 3291: 2018-03-23 12:11:09 <00237> [0x00000000] 3292: 2018-03-23 12:11:09 <00237> [0x012864df] => /bin/sslvpnd 3293: 2018-03-23 12:11:09 <00237> [0x012e5f44] => /bin/sslvpnd 3294: 2018-03-23 12:11:09 <00237> [0x012e643b] => /bin/sslvpnd 3295: 2018-03-23 12:11:09 <00237> [0x012e73ef] => /bin/sslvpnd 3296: 2018-03-23 12:11:09 <00237> [0x012e849d] => /bin/sslvpnd 3297: 2018-03-23 12:11:09 <00237> [0x012e872b] => /bin/sslvpnd 3298: 2018-03-23 12:11:09 <00237> [0x012e8c72] => /bin/sslvpnd 3299: 2018-03-23 12:11:09 <00237> [0x0042a4e0] => /bin/sslvpnd 3300: 2018-03-23 12:11:09 <00237> [0x00430bc4] => /bin/sslvpnd 3301: 2018-03-23 12:11:09 <00237> [0x0042e11c] => /bin/sslvpnd 3302: 2018-03-23 12:11:09 <00237> [0x0042fe31] => /bin/sslvpnd 3303: 2018-03-23 12:11:09 <00237> [0x00430771] => /bin/sslvpnd 3304: 2018-03-23 12:11:09 <00237> [0x7fd63dbea475] => /fortidev4-x86_64/lib/libc.so.6 3305: 2018-03-23 12:11:09 (__libc_start_main+0x000000f5) liboffset 00021475 Crash log interval is 3600 seconds sslvpnd crashed 3 times. The lastest crash was at 2018-03-23 13:11:09

 

 

It seems that the problem is present on FortiGate 500E version 5.6.3 also:

 

292: 2018-04-24 09:20:00 sslvpnd crashed 7 times. The last crash was at 2018-04-24 08:20:00 293: 2018-04-24 09:20:00 <18332> firmware FortiGate-500E v5.6.3,build1547b1547,171204 (GA) (Release) 294: 2018-04-24 09:20:00 <18332> application sslvpnd 295: 2018-04-24 09:20:00 <18332> *** signal 11 (Segmentation fault) received *** 296: 2018-04-24 09:20:00 <18332> Register dump: 297: 2018-04-24 09:20:00 <18332> RAX: 0000000000000044 RBX: 00007fb478d6d018 298: 2018-04-24 09:20:00 <18332> RCX: 0000000000003485 RDX: 00007fb478d57500 299: 2018-04-24 09:20:00 <18332> R8: 00007fb478068000 R9: 00007fff13584520 300: 2018-04-24 09:20:00 <18332> R10: 0000000000000000 R11: 0000000000000016 301: 2018-04-24 09:20:00 <18332> R12: 00007fb478d56400 R13: 00007fb478d56a98 302: 2018-04-24 09:20:00 <18332> R14: 00007fb478d5bca8 R15: 0000000000000002 303: 2018-04-24 09:20:00 <18332> RSI: 00007fb478d6d018 RDI: 00007fb478d57458 304: 2018-04-24 09:20:00 <18332> RBP: 00007fff135846c0 RSP: 00007fff13584698 305: 2018-04-24 09:20:00 <18332> RIP: 0000000000000000 EFLAGS: 0000000000010206 306: 2018-04-24 09:20:00 <18332> CS: 0033 FS: 0000 GS: 0000 307: 2018-04-24 09:20:00 <18332> Trap: 000000000000000e Error: 0000000000000014 308: 2018-04-24 09:20:00 <18332> OldMask: 0000000000000000 309: 2018-04-24 09:20:00 <18332> CR2: 0000000000000000 310: 2018-04-24 09:20:00 <18332> Backtrace: 311: 2018-04-24 09:20:00 <18332> [0x00000000] 312: 2018-04-24 09:20:00 <18332> [0x0120b84f] => /bin/sslvpnd 313: 2018-04-24 09:20:00 <18332> [0x0126c274] => /bin/sslvpnd 314: 2018-04-24 09:20:00 <18332> [0x0126c76b] => /bin/sslvpnd 315: 2018-04-24 09:20:00 <18332> [0x0126d70f] => /bin/sslvpnd 316: 2018-04-24 09:20:00 <18332> [0x0126e7bd] => /bin/sslvpnd 317: 2018-04-24 09:20:00 <18332> [0x0126ea4b] => /bin/sslvpnd 318: 2018-04-24 09:20:00 <18332> [0x0126f684] => /bin/sslvpnd 319: 2018-04-24 09:20:00 <18332> [0x0042af20] => /bin/sslvpnd 320: 2018-04-24 09:20:00 <18332> [0x00431654] => /bin/sslvpnd 321: 2018-04-24 09:20:00 <18332> [0x0042eb5c] => /bin/sslvpnd 322: 2018-04-24 09:20:00 <18332> [0x00430851] => /bin/sslvpnd 323: 2018-04-24 09:20:00 <18332> [0x004311f9] => /bin/sslvpnd 324: 2018-04-24 09:20:00 <18332> [0x7fb47d5e6475] => /fortidev4-x86_64/lib/libc.so.6 325: 2018-04-24 09:20:00 (__libc_start_main+0x000000f5) liboffset 00021475

 

AtiT

AtiT
Bruno_Pereira
New Contributor III

I have a dream that one day Fortinet will release a version with the least awful bugs. I had to upgrade due to crash in ips engine, wad and was and now the crash passed to vpnssl.

 

Support today:

Good Afternoon, The case is being reported, I will let you know as soon as I have further information.

 

 

Top Kudoed Authors