Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Maxim_Vanichkin
New Contributor II

Strange behavior of FG-300D and FortiOs 5.4

Hi!

 

Guys, I got some problems with new firmware. I use fg300d with FO 5,4. There is configured dial-in ipsec. Everything worked fine until now. All tunnels are hung up. All services are blocked except port forwarding so i could connect to putty's serial console. There are a lot of messages such as "unregister_netdevice: waiting for IPSec NAT_6 to become free. Usage count = 1". 

 

I event cant execute reboot. System just wrote that it is going to reboot bye-bye - and just continue to posts that error messages about netdevice. FG is situated in the data center, so i unable just to switch off and on it... 

 

I'm just in a jam... any help is highly appreciated... Thanks!

 

1 Solution
cpetry
New Contributor III

It's a bug in 5.4.0.  I have a long thread about this happening on my 1500D's that are in HA.  You can't use IPSec VPN Dialup right now; use SSL only.  Until they fix the bug in 5.4.1.

 

Note: Exact same IPSec error messages we were seeing.  Escalated to level 3 support which confirmed the bug.

 

Edit: Technically it happens anytime you *remove* an interface.  When a user disconnects from IPSec VPN Dialup it removes an interface and the bug surfaces.  So don't use IPSec VPN Dialup and don't remove interfaces for now (yeah I know...)

View solution in original post

17 REPLIES 17
atlantika

Hello qxu_FTNT,

 

thanks for the work around. Must be disable npu-offload only on the dialup IPSEC VPNs or on all IPSEC VPNs ?

 

 

qxu_FTNT

Hi Atlantika,

 

Actually, we found a few places that could cause unregister_netdevice issue and had a fix still in stress testing. For now you could disable npu-offload ONLY on dialup IPsec VPN to see if it resolves your issue.

 

Thanks,

btp

I am running (in lab) 2x1200D. Because of the inherently non-customer-friendly setup of FortiOS that makes it impossible to change VLAN-ID or even port of a logical interface, I do a backup of the VDOM config, change some settings and restore. In this setup I have 4 IPSEC tunnels terminating on the cluster.

 

1) When will Fortinet look at how Juniper and Cisco do things, and make life easier for the engineer (i.e: make it possible to change settings without deleting policies, dhcp etc. etc...)

2) When I restored the changed config (port35 -> port25 on a logical interface) it barfed

 

unregister_netdevice: waiting for SPOKES to become free. Usage count = 4 unregister_netdevice: waiting for SPOKES to become free. Usage count = 4 unregister_netdevice: waiting for SPOKES to become free. Usage count = 4

(...)

and console hangs.

 

I am running GA version of 5.4.0.

-- Bjørn Tore

-- Bjørn Tore
cpetry
New Contributor III

It's a bug in 5.4.0.  I have a long thread about this happening on my 1500D's that are in HA.  You can't use IPSec VPN Dialup right now; use SSL only.  Until they fix the bug in 5.4.1.

 

Note: Exact same IPSec error messages we were seeing.  Escalated to level 3 support which confirmed the bug.

 

Edit: Technically it happens anytime you *remove* an interface.  When a user disconnects from IPSec VPN Dialup it removes an interface and the bug surfaces.  So don't use IPSec VPN Dialup and don't remove interfaces for now (yeah I know...)

tanr
Valued Contributor II

I know this is an old thread, but it looks like others have seen the issue as well (https://forum.fortinet.com/tm.aspx?m=138192).

 

Does anybody have a bug number for this?  Anybody confirmed if it is fixed in 5.4.1?

 

Thanks.

ecsupport
New Contributor

Any confirm of this resolved in 5.4.2? Sooooo many Resolved and Known issues, couldn't really tell. Besides 11/17 relnotes show two RESOLVED issues getting yanked back into known! Ay!

xkalib3r
New Contributor III

Hi All

 

Sorry to bring this one back form the dead...

 

Does anyone know if this was actually resolved? We have a customer with a 300D HA cluster running 5.4.4 and we're having the same issue. Seems to be dialup IPSEC VPN's causing the issue.

 

 

Regards

FCNSA

FCNSP

FCWS

NSE5

NSE7

FCNSA FCNSP FCWS NSE5 NSE7
Maxim_Vanichkin

My issue was corrected in 5.4.1. So I guess you problem is different. All my dialups work perfect... 5.6.0 by the way right now.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors