thuynh wrote:

Thanks emnoc and Antonio, we've created an internal ticket to track this issue (0443713). However, we'll need the actual p12/pfx cert to debug further (include password if it's protected). Can you create a CSS ticket (if havent already) and provide the file there? You can use a dummy cert which is similar to the one that you have issue. The CSS ticket can use the above bug number as a reference.

 

I'm trying to get a case open but 1st our FGT100D on downgrading back down to 5.4.x seems to not take the new image and format of the disk and tftp seems to not work.

 

 

So as suport fixes that issues, I can open a ticket on the cert import. The pfx bundle btw imported fine on other FGT appliance running 5.4.3 5.4.5 and 5.2.11, so it's not the pfx bundle that's the issue.

 

Support can easily craft a self-sign cert and try to import the pfx bundle. Also if we take a CSR generate on the FGT appliance and sign the certificate, upon import of the just the certificate fails. We have our own  Entrust Intermediate CA and I tried CAcert signed certificate also.

 

 

 

 

emnoc wrote:

thuynh wrote:

Thanks emnoc and Antonio, we've created an internal ticket to track this issue (0443713). However, we'll need the actual p12/pfx cert to debug further (include password if it's protected). Can you create a CSS ticket (if havent already) and provide the file there? You can use a dummy cert which is similar to the one that you have issue. The CSS ticket can use the above bug number as a reference.

I'm trying to get a case open but 1st our FGT100D on downgrading back down to 5.4.x seems to not take the new image and format of the disk and tftp seems to not work.

 

So as suport fixes that issues, I can open a ticket on the cert import. The pfx bundle btw imported fine on other FGT appliance running 5.4.3 5.4.5 and 5.2.11, so it's not the pfx bundle that's the issue.

 

Support can easily craft a self-sign cert and try to import the pfx bundle. Also if we take a CSR generate on the FGT appliance and sign the certificate, upon import of the just the certificate fails. We have our own  Entrust Intermediate CA and I tried CAcert signed certificate also.

Thanks emnoc, we added some restrictions in 5.6.1 to reject unsecured/invalid certs but I'm not sure if it's related. We'll be able to tell once we have the certs.

Thanks

 

We 've tried numerous certificate std/sans/self-Signed/etc.... my ticket on  getting my FG100D backup so I can reflash  it is tkt.id  2308481 .

 

Once I get that back , I will make a re-attempt and upload all related information in a  new  case.

 

Thanks

 

One more thing that I just found, the cli cmd  diag sys checkused is not a validate command any more.

 

emnoc wrote:

One more thing that I just found, the cli cmd  diag sys checkused is not a validate command any more.

As of FortiOS 5.6, the command is now "diagnose sys cmdb refcnt"

rojekj wrote:

thuynh wrote:

Hi Rojekj and Antonio, thank you for reporting the issue with SSL VPN. This is a known issue and should have been included in 5.6.1 release note (internal ticket 0442808). We already have a fix for it and we will update the release note shortly. Sorry for the miscommunication.

May I ask when do You plan to release this fix? I'm going to be killed by my clients at the end of next week, unless I'll fix their VPN. And You are the only ones who can prevent this and save my poor life.

Updating release notes should happen, but does not resolve our issue.

 

You must understand that crashing sslvpn daemon is a very serious bug, that should be fixed in the first place, and in my opinion release of the new firmware that fix this should occure immediately, not waiting for other fixes.

Thanks rojekj, we do understand this issue is a show stopper for SSLVPN users. We are actively reviewing it and will get back to you as soon as we can. 

Hi Rojekj, If your customer is running D or older, revert/install 5.4.5 or 5.2.11. If your customer is running a E serie and 5.6.0 was working OK, revert to 5.6.0. Otherwise if it has a support contract (which they must have on a production box), open a P1 with support and escalate as necessary if you don't have acceptable response. Just my 2 cents...

rojekj wrote:

thuynh wrote:
Hi Rojekj and Antonio, thank you for reporting the issue with SSL VPN. This is a known issue and should have been included in 5.6.1 release note (internal ticket 0442808). We already have a fix for it and we will update the release note shortly. Sorry for the miscommunication.

May I ask when do You plan to release this fix? I'm going to be killed by my clients at the end of next week, unless I'll fix their VPN. And You are the only ones who can prevent this and save my poor life. Updating release notes should happen, but does not resolve our issue.   You must understand that crashing sslvpn daemon is a very serious bug, that should be fixed in the first place, and in my opinion release of the new firmware that fix this should occure immediately, not waiting for other fixes.

Hi Rojekj,

 

sslvpn daemon crash is an known issue. it happens when tunnel mode ssl vpn user logout.

 

Thanks

Johnson

 

I can not see Local traffic (Fortigate's self traffic) in Foriview of ver5.6.1. In 5.2 were able to see the fortigate local traffic. Is it no longer visible in the 5.6 series?