Hey,

as a nice happy new years present one of our customers had a total blackout of a 300D cluster on new years day. only after a couple of days uptime with 5.2.5. This installation was working properly with 5.2.4 - so lets see.

TAC is working on that case - I will update, if there is any thing of interest.

Br

emnoc wrote:

I bet you have SSL inspection enabled. Did you open a ticket for TAC?

 

I haven't opened ticket yet because last two tickets support couldn't resolve, but I will try again with support.

Hello all,

Be careful with 5.2.5.

We face two major issues with it

Application crash (proxyworker process) occurs.

SSL Inspection exclusion (based on domain name or IP) does not work anymore !

Here's the feedback from the support.

I have done some researching and this is a known issue, for the moment no fix, but I would like you to try this workaround and let me know if the unit stabilizes:  config firewall ssl-ssh-profile  edit "SSL-INSPECTION"  config ssl  set inspect-all disable

Regards,

HA 

HA wrote:

Hello all,

 

Be careful with 5.2.5.

We face two major issues with it

Application crash (proxyworker process) occurs.

SSL Inspection exclusion (based on domain name or IP) does not work anymore !

 

Here's the feedback from the support.

I have done some researching and this is a known issue, for the moment no fix, but I would like you to try this workaround and let me know if the unit stabilizes:  config firewall ssl-ssh-profile  edit "SSL-INSPECTION"  config ssl  set inspect-all disable

 

Regards,

 

HA 

I've been trying to establish whether we have a similar issue with SSL Inspection exclusion on our test 60D which has 5.2.5 loaded. Can I ask whether you were able to confirm this in the CLI, as I seem to be able to access our inspection-excluded sites from within the test network without the issues that lead us to exclude them.

I seem to recall that on 5.2.3 you could debug ssl inspection using 

diagnose debug application ssl -1

however if I try to that on 5.2.5 it sets the SSLVPN to debug.

# diagnose debug reset
# diagnose debug application ssl -1
# diagnose debug info
debug output: enable
console timestamp: enable
console no user log message: disable
sslvpn debug level: -1 (0xffffffff)
CLI debug level: 3

We are currently trying to schedule in moving our live 60d from 5.2.3 to 5.2.5 - if SSL Inspection exclusions aren't working then we need to hold fire, so any hints would be really helpful.

Hello,

You can try with the command diag test app sslworker.

By the way, it seems that we face this issue only with Fortigate 100D (3 customers). With 240D, no issue... 

I didn't test the workaround. I just rolled back to 5.2.3...

Regards,

HA

HA wrote:

Hello,

 

You can try with the command diag test app sslworker.

By the way, it seems that we face this issue only with Fortigate 100D (3 customers). With 240D, no issue... 

I didn't test the workaround. I just rolled back to 5.2.3...

 

Regards,

 

HA

Thanks for the response.

I've had no luck with the diag test app sslworker on the 60D but was able to test by removing one of the excluded sites and checking the displayed certificate in the client browser.

Looks like the 60D is unaffected so we should be good to rollout.

Bono wrote:

tony8304 wrote:

Hi All,

about the GUI access issue in 5.2.4, is this still exist in 5.2.5?

 

Thanks 

Tony

If you are talking about System tab which disappears, bug is still here.

AHAHAHAHAHHHHH!!! FIX THIS!!!!!!

Sorry. Just 3K users!!