Hi!
Guys, I got some problems with new firmware. I use fg300d with FO 5,4. There is configured dial-in ipsec. Everything worked fine until now. All tunnels are hung up. All services are blocked except port forwarding so i could connect to putty's serial console. There are a lot of messages such as "unregister_netdevice: waiting for IPSec NAT_6 to become free. Usage count = 1".
I event cant execute reboot. System just wrote that it is going to reboot bye-bye - and just continue to posts that error messages about netdevice. FG is situated in the data center, so i unable just to switch off and on it...
I'm just in a jam... any help is highly appreciated... Thanks!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It's a bug in 5.4.0. I have a long thread about this happening on my 1500D's that are in HA. You can't use IPSec VPN Dialup right now; use SSL only. Until they fix the bug in 5.4.1.
Note: Exact same IPSec error messages we were seeing. Escalated to level 3 support which confirmed the bug.
Edit: Technically it happens anytime you *remove* an interface. When a user disconnects from IPSec VPN Dialup it removes an interface and the bug surfaces. So don't use IPSec VPN Dialup and don't remove interfaces for now (yeah I know...)
Update. After power recycle everithing looks good.
fuf... problem is back...
again cant get into web interface and planty off warnings:
unregister_netdevice: waiting for IPSec NAT_6 to become free. Usage count = 2 unregister_netdevice: waiting for IPSec NAT_3 to become free. Usage count = 4 unregister_netdevice: waiting for IPSec NAT_1 to become free. Usage count = 18 unregister_netdevice: waiting for IPSec NAT_6 to become free. Usage count = 2 unregister_netdevice: waiting for IPSec NAT_3 to become free. Usage count = 4 unregister_netdevice: waiting for IPSec NAT_1 to become free. Usage count = 18
Open a ticket with TAC or downgrade from off FortiOS 5.4.
PCNSE
NSE
StrongSwan
Ok, guys! I came back to 5.2.5 and all issues are gone. By the way! Didnt do anything with 5.4 configuration, just formatted log disk. And all seems to be ok. No more errors, everything is just fine. Be carefull with 5.4 and happy new year!
You sir are a truly daring person loading a brand new release from FortiNet!!
300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track.
Over 100 WiFi AP's and growing.
FAZ-200D
FAC-VM 2 node cluster
Friends don't let friends FWF!
If not us, then who. If not me and you. Right now, it's time for us to do something. If not now, then when. Will we see an end.)))
Thank you Maxim. We do need customer's help like what you did, very appreciate.
We also found the same issue just on the day of GA release. Both Dev and QA worked hard on this and we thought the root cause was identified since with dev image this issue was not happened again for around 24 hours. We are still testing internally.
Before it's fixed in next patch, for now you can try work around in either of below:
1. disable npu-offload in IPsec phase1 interface
2. "set auto-asic-offload disable" in policy (for dial-up IPsec)
This is a classical problem for stuff built upon linux-based networking.
Others have similar problems too (proof: look for "to become free" in the linked page)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.