I had a conversation with an FTNT SE today about 6.2.4 problems. The major issues seem to boil down to below three issues:
1. DoS policy issue: It's still an known issue with 6.2.4 and not resolved, which is in the release notes.
2. IPS engine keeps crashing. A new engine is planned to be released soon. Then this would be resolved.
3. WAD memory leak issue is still not 100% resolved.
6.2.5 will fix these issues and come out relatively shortly although he couldn't tell me any target date. He recommended to wait for 6.2.5. But likely 6.0.10 comes out before 6.2.5.
By the way, FMG/FAZ 6.2.4 was to just fix vulnerabilities. They wanted to release it ASAP without waiting for bug fixes. Then 6.2.5 came out right after that with bug fixes. It was just coincidental they came out one after another.
Does anybody else have VIP still working fine with 6.2.4? Or tried debugging after it broke to see exactly what's happening? I'm thinking it might be conditional, then want to know the conditions if that's the case. I upgraded my 50E yesterday and so far working fine, including SIP just going over NAT. I have session helpers/ALGs disabled for long time but I don't have any VIPs to field-test with.
Had strange Problems on a 61E after Upgrading to 6.2.4.
Dialup VPN stopped working completely after 8 Hours Uptime
and some Site2Site VPNS did not pass TCP and ICMP Traffic anymore.
Remote Traffic entered the Tunnel-Interface but was not passed along.
diag debug flow just stated that a session was generated and thats it....No further packet flow was seen!
Reverted back to 6.2.3
Hey Fortinet, shame on you: I think now it´s about time for a free 1Y Fortiguard Subscription for my expired LAB FGT ;)
Thank you for the response. You have upgraded cluster FG-61E or standalone? I think about HA cluster A-P upgrade FG-61E on this weekend. There no SSLVPN, but few VPN are active there. VPN's should be work cause of business financial reasons.
luckily it was a not so important standalone Box, no cluster.
After 8 Hours Uptime DialupVPN´s stopped working (no response to IKE at all) and some Site2Site VPNs stopped working, not passing TCP and ICMP traffic in the incoming direction. Strangely UDP traffic was still working fine.
I cannot confirm 100% but I think at least in my case these were IPSEC tunnels with OSPF propagated routes.
I would stay away from updating 6.2.4 on productive boxes right now.
Also did anyone else notice GUI is slower ("circling" a while when dig into deeper)? It maybe because my 50E is not so powerful. But I didn't notice it when it was running 6.0.9. I saw a similar comment at Reddit as well.
First time running into this kinda of firmware bugs. It caused 10 of our sites to goes down at once. We are running on 601E and 60E devices. Still trying to chase sporadic VPN issue and VOIP issue.
Im 100% with you on that. Never had these kind of severe Bugs, not even on a Major Release Upgrade.
Would be interesting to know if the VPN issues are related to SOC3 Boxes, since you are also using 60E´s.
In my case SIP call setup worked in one direction (Party behind 60E establishes a call) and RTP (UDP) traffic was fine in both directions. The other way around (Party behind 60E was called) the Call setup (TCP!) failed and so no RTP connection was established.
Be careful with 6.2.4. Two days ago upgraded 60F to 6.2.4 - yestarday first issue with some VPN's. Yesterday also upgraded 100D to 6.2.4, and this morning problem with VPN in debug i see: 101:Network is unreachable. But network and other VPN sides are reachable...
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.