FortiOS 6.2: memory issues, best approach

ted_barker · ‎04-01-2019

Hi,

I've been running 6.2 Beta and have switched to 6.2 public release, but the memory goes quickly up and system enters conserve mode and the system becomes unusable.

The 61E was running always around 75 to 80% for a couple of months, now with 6.2 the memory increased after an hour to that level and became useless.

What are your experiences and any best approaches with 6.2 troubleshooting (most probably the same as before) and feedback to Fortinet?

BrianB · ‎10-28-2019

Nick, keep an eye on memory utilization. If you notice it creep up again, just try restarting the wad process and see if that lowers memory utilization (diagnose test application wad 99) will restart the was processes.

Yes, this was supposed to be resolved in 6.2.1 and it did resolve the issue for me for me although I have noticed memory creeping up but at a very slow rate (weeks compared to hours as it was in 6.2.0)

I have encountered some bugs with 6.2.1 that are supposedly fixed in 6.2.2 but upon reading the release notes for 6.2.2 they mention a known issue is high memory utilization. I do not know if the issue is re-introduced in 6.2.2 or what, but that fact that it is mentioned in the release notes has me waiting until 6.2.3. When I was running 6.2.0 the high mem issue was causing my entire network to drop and the only fix was to reboot the fortigates.

Steffi · ‎07-15-2021

NickBurns wrote:
I'm running a FortiWiFi 30E with OS 6.2.1. We upgraded all of our FortiGates from 6.0.4 to 6.2.1 a couple months ago (this is the only 30E we have). I just had an incident today where users connected to the 30E couldn't reach the Internet, and when I logged in, I got the "running on Conserve Mode due to high memory" message. Memory was above 80%. I rebooted the device...now memory is around 72%. When I run 'diag sys top', I do see a "wad" and a couple "ipsengine" processes, but don't know if the numbers beside them are significant or not. From what I'm reading, perhaps 6.2.1 resolves the issue, but it is still a problem with 30Es?

Same in 6.2.9 with 30E. Got it back to 5.6.13 and everything ok again. I still ask myself, why it is me working for Fortinet and not the way around. In the end, I am paying lots of money for a small company with maybe some traffic and a bit of vpn from time to time. Firmware updates produce now the same feeling as installing new highpoint drivers on Abit Boards many years ago: gambling.

seadave · ‎07-15-2021

I would not be running 5.6. That is VERY old code and vulnerable to exploits. Since I wrote my response 2 years ago, we migrated from 6.0.10 to 6.4.4 (skipped 6.2.X running in production because it was too buggy at that time). There are some big changes moving from 5.6 to that regarding DLP and how policies are constructed. The risk you take by staying on such an old version is when/if you do decide to upgrade you will have a lot of issues due to feature adds/changes. Before your config gets too complex, I'd suggest you look at the upgrade path to 6.4.4. It has been stable for us on 501Es in HA. We want to update to 6.4.6 but are waiting for 6.4.7 due to some bugs in 6.4.6. Use Fortinet's upgrade tool on the support site to determine which versions you need to install during the process. You can't go from A -> B, there are specific versions you need to install to go from such old code. Make config backups between versions, and use the "diag debug config-error-log read" via the console between upgrades to help you see what config parameters didn't make it between versions. It also helps to have a laptop with Putty running over serial so you can watch the console during the upgrade process for errors, etc. Enabling logging to a file with that and you'll have a record you can review to see what you need to test due to config/feature enablement changes.

Steffi · ‎07-15-2021

I did exactly this, following the upgrade path version by version. 6.4 is not made for 30E, with 6.2 is, as I know, finish for 30E. My firewall itself is not as critical as some others, only 3 clients and some vpn, nothing more. NYWAY, i feel as I am doing work, someone other should be doing for me.