- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Strange behavior of FG-300D and FortiOs 5.4
Hi!
Guys, I got some problems with new firmware. I use fg300d with FO 5,4. There is configured dial-in ipsec. Everything worked fine until now. All tunnels are hung up. All services are blocked except port forwarding so i could connect to putty's serial console. There are a lot of messages such as "unregister_netdevice: waiting for IPSec NAT_6 to become free. Usage count = 1".
I event cant execute reboot. System just wrote that it is going to reboot bye-bye - and just continue to posts that error messages about netdevice. FG is situated in the data center, so i unable just to switch off and on it...
I'm just in a jam... any help is highly appreciated... Thanks!
Solved! Go to Solution.
- Labels:
-
5.4
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's a bug in 5.4.0. I have a long thread about this happening on my 1500D's that are in HA. You can't use IPSec VPN Dialup right now; use SSL only. Until they fix the bug in 5.4.1.
Note: Exact same IPSec error messages we were seeing. Escalated to level 3 support which confirmed the bug.
Edit: Technically it happens anytime you *remove* an interface. When a user disconnects from IPSec VPN Dialup it removes an interface and the bug surfaces. So don't use IPSec VPN Dialup and don't remove interfaces for now (yeah I know...)
- « Previous
-
- 1
- 2
- Next »
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello qxu_FTNT,
thanks for the work around. Must be disable npu-offload only on the dialup IPSEC VPNs or on all IPSEC VPNs ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Atlantika,
Actually, we found a few places that could cause unregister_netdevice issue and had a fix still in stress testing. For now you could disable npu-offload ONLY on dialup IPsec VPN to see if it resolves your issue.
Thanks,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am running (in lab) 2x1200D. Because of the inherently non-customer-friendly setup of FortiOS that makes it impossible to change VLAN-ID or even port of a logical interface, I do a backup of the VDOM config, change some settings and restore. In this setup I have 4 IPSEC tunnels terminating on the cluster.
1) When will Fortinet look at how Juniper and Cisco do things, and make life easier for the engineer (i.e: make it possible to change settings without deleting policies, dhcp etc. etc...)
2) When I restored the changed config (port35 -> port25 on a logical interface) it barfed
unregister_netdevice: waiting for SPOKES to become free. Usage count = 4 unregister_netdevice: waiting for SPOKES to become free. Usage count = 4 unregister_netdevice: waiting for SPOKES to become free. Usage count = 4
(...)
and console hangs.
I am running GA version of 5.4.0.
-- Bjørn Tore
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's a bug in 5.4.0. I have a long thread about this happening on my 1500D's that are in HA. You can't use IPSec VPN Dialup right now; use SSL only. Until they fix the bug in 5.4.1.
Note: Exact same IPSec error messages we were seeing. Escalated to level 3 support which confirmed the bug.
Edit: Technically it happens anytime you *remove* an interface. When a user disconnects from IPSec VPN Dialup it removes an interface and the bug surfaces. So don't use IPSec VPN Dialup and don't remove interfaces for now (yeah I know...)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is an old thread, but it looks like others have seen the issue as well (https://forum.fortinet.com/tm.aspx?m=138192).
Does anybody have a bug number for this? Anybody confirmed if it is fixed in 5.4.1?
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any confirm of this resolved in 5.4.2? Sooooo many Resolved and Known issues, couldn't really tell. Besides 11/17 relnotes show two RESOLVED issues getting yanked back into known! Ay!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All
Sorry to bring this one back form the dead...
Does anyone know if this was actually resolved? We have a customer with a 300D HA cluster running 5.4.4 and we're having the same issue. Seems to be dialup IPSEC VPN's causing the issue.
Regards
FCNSA
FCNSP
FCWS
NSE5
NSE7
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My issue was corrected in 5.4.1. So I guess you problem is different. All my dialups work perfect... 5.6.0 by the way right now.
- « Previous
-
- 1
- 2
- Next »