Hi!
Guys, I got some problems with new firmware. I use fg300d with FO 5,4. There is configured dial-in ipsec. Everything worked fine until now. All tunnels are hung up. All services are blocked except port forwarding so i could connect to putty's serial console. There are a lot of messages such as "unregister_netdevice: waiting for IPSec NAT_6 to become free. Usage count = 1".
I event cant execute reboot. System just wrote that it is going to reboot bye-bye - and just continue to posts that error messages about netdevice. FG is situated in the data center, so i unable just to switch off and on it...
I'm just in a jam... any help is highly appreciated... Thanks!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It's a bug in 5.4.0. I have a long thread about this happening on my 1500D's that are in HA. You can't use IPSec VPN Dialup right now; use SSL only. Until they fix the bug in 5.4.1.
Note: Exact same IPSec error messages we were seeing. Escalated to level 3 support which confirmed the bug.
Edit: Technically it happens anytime you *remove* an interface. When a user disconnects from IPSec VPN Dialup it removes an interface and the bug surfaces. So don't use IPSec VPN Dialup and don't remove interfaces for now (yeah I know...)
Hello qxu_FTNT,
thanks for the work around. Must be disable npu-offload only on the dialup IPSEC VPNs or on all IPSEC VPNs ?
Hi Atlantika,
Actually, we found a few places that could cause unregister_netdevice issue and had a fix still in stress testing. For now you could disable npu-offload ONLY on dialup IPsec VPN to see if it resolves your issue.
Thanks,
I am running (in lab) 2x1200D. Because of the inherently non-customer-friendly setup of FortiOS that makes it impossible to change VLAN-ID or even port of a logical interface, I do a backup of the VDOM config, change some settings and restore. In this setup I have 4 IPSEC tunnels terminating on the cluster.
1) When will Fortinet look at how Juniper and Cisco do things, and make life easier for the engineer (i.e: make it possible to change settings without deleting policies, dhcp etc. etc...)
2) When I restored the changed config (port35 -> port25 on a logical interface) it barfed
unregister_netdevice: waiting for SPOKES to become free. Usage count = 4 unregister_netdevice: waiting for SPOKES to become free. Usage count = 4 unregister_netdevice: waiting for SPOKES to become free. Usage count = 4
(...)
and console hangs.
I am running GA version of 5.4.0.
-- Bjørn Tore
It's a bug in 5.4.0. I have a long thread about this happening on my 1500D's that are in HA. You can't use IPSec VPN Dialup right now; use SSL only. Until they fix the bug in 5.4.1.
Note: Exact same IPSec error messages we were seeing. Escalated to level 3 support which confirmed the bug.
Edit: Technically it happens anytime you *remove* an interface. When a user disconnects from IPSec VPN Dialup it removes an interface and the bug surfaces. So don't use IPSec VPN Dialup and don't remove interfaces for now (yeah I know...)
I know this is an old thread, but it looks like others have seen the issue as well (https://forum.fortinet.com/tm.aspx?m=138192).
Does anybody have a bug number for this? Anybody confirmed if it is fixed in 5.4.1?
Thanks.
Any confirm of this resolved in 5.4.2? Sooooo many Resolved and Known issues, couldn't really tell. Besides 11/17 relnotes show two RESOLVED issues getting yanked back into known! Ay!
Hi All
Sorry to bring this one back form the dead...
Does anyone know if this was actually resolved? We have a customer with a 300D HA cluster running 5.4.4 and we're having the same issue. Seems to be dialup IPSEC VPN's causing the issue.
Regards
FCNSA
FCNSP
FCWS
NSE5
NSE7
My issue was corrected in 5.4.1. So I guess you problem is different. All my dialups work perfect... 5.6.0 by the way right now.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.