Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If you're having connectivity issues, check if DoS sensor is enabled. If so, disable it completely. That should resolve the issue you're seeing.
I had a conversation with an FTNT SE today about 6.2.4 problems. The major issues seem to boil down to below three issues:
1. DoS policy issue: It's still an known issue with 6.2.4 and not resolved, which is in the release notes.
2. IPS engine keeps crashing. A new engine is planned to be released soon. Then this would be resolved.
3. WAD memory leak issue is still not 100% resolved.
6.2.5 will fix these issues and come out relatively shortly although he couldn't tell me any target date. He recommended to wait for 6.2.5. But likely 6.0.10 comes out before 6.2.5.
By the way, FMG/FAZ 6.2.4 was to just fix vulnerabilities. They wanted to release it ASAP without waiting for bug fixes. Then 6.2.5 came out right after that with bug fixes. It was just coincidental they came out one after another.
My issue was that I upgraded 200E to 6.2.4 , 80E to 6.2.4 and FAZ to 6.2.5.
6.2.4 has DoS issue which breaks VIPs
6.2.X changes SSL Inspection w/ SSH which broke DUO 2FA for me, fix was easy, had to exclude url from inspection but took a bit to track down
FAZ 6.2.5 had to have some reliability feature turned off to work with <100E Fortigates
I also patched about 45 windows servers the same weekend. #neveragain
Does anybody else have VIP still working fine with 6.2.4? Or tried debugging after it broke to see exactly what's happening? I'm thinking it might be conditional, then want to know the conditions if that's the case. I upgraded my 50E yesterday and so far working fine, including SIP just going over NAT. I have session helpers/ALGs disabled for long time but I don't have any VIPs to field-test with.
No problems with VIP on 60F, 50E and 100D for this moment (60F upgraded yeterday, 50E and 100D few hours ago).
Attention!
Had strange Problems on a 61E after Upgrading to 6.2.4.
Dialup VPN stopped working completely after 8 Hours Uptime
and some Site2Site VPNS did not pass TCP and ICMP Traffic anymore.
Remote Traffic entered the Tunnel-Interface but was not passed along.
diag debug flow just stated that a session was generated and thats it....No further packet flow was seen!
Reverted back to 6.2.3
Hey Fortinet, shame on you: I think now it´s about time for a free 1Y Fortiguard Subscription for my expired LAB FGT ;)
jkassner wrote:Attention!
Had strange Problems on a 61E after Upgrading to 6.2.4.
Dialup VPN stopped working completely after 8 Hours Uptime
and some Site2Site VPNS did not pass TCP and ICMP Traffic anymore.
Remote Traffic entered the Tunnel-Interface but was not passed along.
diag debug flow just stated that a session was generated and thats it....No further packet flow was seen!
Reverted back to 6.2.3
Hey Fortinet, shame on you: I think now it´s about time for a free 1Y Fortiguard Subscription for my expired LAB FGT ;)
Thank you for the response. You have upgraded cluster FG-61E or standalone? I think about HA cluster A-P upgrade FG-61E on this weekend. There no SSLVPN, but few VPN are active there. VPN's should be work cause of business financial reasons.
Hi Visk,
luckily it was a not so important standalone Box, no cluster.
After 8 Hours Uptime DialupVPN´s stopped working (no response to IKE at all) and some Site2Site VPNs stopped working, not passing TCP and ICMP traffic in the incoming direction. Strangely UDP traffic was still working fine.
I cannot confirm 100% but I think at least in my case these were IPSEC tunnels with OSPF propagated routes.
I would stay away from updating 6.2.4 on productive boxes right now.
TheJaeene thank you for info. I will try to upgrade some Fortigate models in few next days. Later will back here to give feedback about FortiOS 6.2.4.
Also did anyone else notice GUI is slower ("circling" a while when dig into deeper)? It maybe because my 50E is not so powerful. But I didn't notice it when it was running 6.0.9. I saw a similar comment at Reddit as well.
First time running into this kinda of firmware bugs. It caused 10 of our sites to goes down at once. We are running on 601E and 60E devices. Still trying to chase sporadic VPN issue and VOIP issue.
Phuoc Ngo wrote:Im 100% with you on that. Never had these kind of severe Bugs, not even on a Major Release Upgrade.First time running into this kinda of firmware bugs. It caused 10 of our sites to goes down at once. We are running on 601E and 60E devices. Still trying to chase sporadic VPN issue and VOIP issue.
Would be interesting to know if the VPN issues are related to SOC3 Boxes, since you are also using 60E´s.
In my case SIP call setup worked in one direction (Party behind 60E establishes a call) and RTP (UDP) traffic was fine in both directions. The other way around (Party behind 60E was called) the Call setup (TCP!) failed and so no RTP connection was established.
Be careful with 6.2.4. Two days ago upgraded 60F to 6.2.4 - yestarday first issue with some VPN's. Yesterday also upgraded 100D to 6.2.4, and this morning problem with VPN in debug i see: 101:Network is unreachable. But network and other VPN sides are reachable...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.