Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pacone
New Contributor

Unstable Gui Access

I have two Fortigate units that I manage. One is a 30D and one a 60D both running the same firmware v5.2.3,build670

 

With both units from time to time I am unable to access the web-gui. The only fix appears to be to restart them.

Whilst I am unable to access the gui, the units are still working and processing traffic outgoing.

I am not able to reproduce this, it just happens when it wants to.

 

On the 60D I am unable to SSH in when this occurs, it will give me an SSH login prompt, however once the username and password are entered it just sits there and does not log me in. It's kind of like the login process works, but is separate to the actual management tool itself which is not functional at the time.

 

On the 60D I am also unable to use FortiExplorer from an iPad using a USB cable to access the unit when this occurs.

 

This has happened at least 3 times, maybe more, the only fix as I said above appears to be to power off the unit and power it back on.

 

I have not tried the SSH or FortiExplorer login's on the 30D unit.

1 Solution
Bernard_Pauwels

IE is a different story than CHROME. But still I see other unstable behaviour if an unsecured certificate is used.

View solution in original post

13 REPLIES 13
Dave_Hall
Honored Contributor

On both units, check the memory usage and check the system log -- if memory usage nears 80% the fgts start to shut down various services (starting with I think virus/web scanning) and some GUI functions.  (There are several posts on this topic -- just use the search link at the top of this page.)  See also KB#11076.

 

 

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
pacone

It implies in the reference material that I read, once the over usage calms down, that the services that have been turned off by conserve mode return by themselves, this does not appear to be the case with the issue I am having. They never seem to return.

 

I am unable to access all types of connectivity to the unit HTTPS, SSH, FortiExplorer etc, not just web gui.

 

The 30D unit would be lucky if it does 300MB per day of traffic, and memory usage seems to stick around the 45-50% mark from what I can see of it.

 

Is there a way I can reliably log memory/cpu usage so I can see if the units are having busy periods that I am not aware of?

fenixryan
New Contributor

I'm experiencing similar issues with accessing web interface, IE 11 brings up log on, I log in but none of the frames populate (and I mean they are all blank. When I use Chrome 44 the frames are displayed ok until I start drilling in and out of various settings, then the frame just comes up with what I can only describe as a page icon in the middle.

 

I was on 5.2.1, but decided to lift upto latest firmware to find it's still producing the same random frame problem.

 

Reboot seems to sort it for a very short time.

 

Device 100D

Flyshuffle

fenixryan wrote:

I'm experiencing similar issues with accessing web interface, IE 11 brings up log on, I log in but none of the frames populate (and I mean they are all blank. When I use Chrome 44 the frames are displayed ok until I start drilling in and out of various settings, then the frame just comes up with what I can only describe as a page icon in the middle.

 

I was on 5.2.1, but decided to lift upto latest firmware to find it's still producing the same random frame problem.

 

Reboot seems to sort it for a very short time.

 

Device 100D

I've had similar experiences on Windows 8.1:

 

IE 11 behaved the exact same way you described on our 300D running 5.2.2, but appears to work for me with 5.2.3

 

Chrome 44 will work for a while, but then I will get the "file icon sad face" in the main frame and have to restart the browser where it will work for a while again. This happens on 5.2.4 and 5.2.3 on our 200D and 300D firewalls. However, I am running AdBlock and a couple of other extensions in Chrome and I haven't gone through and disabled or removed any to see if it is an extension causing the problem. I have added this to an open support case with Forticare.

 

Firefox 39 with no add-ons is working fine across all of our firewalls at the moment.

 

Each time I have not had to do anything different with our firewalls. Simply closing the browser or trying a different browser lets me get on my way. Memory usages is consistently under 60% for all of them, so I don't think that is an issue. 

 

 

Bernard_Pauwels

Hi,

 

   I have a very similar experience. Installed new FortiAnalyzer, started using FortiAP captive portal and upgraded to 5.2.4, all in one week. And then there was the unstable GUI, so badly that it is almost impossible to work with. That page icon is there all the time. Re-loading the page passes me again through the manual acceptance of the untrusted certificate, but gives me the real page, until the next drill down somewhat later.

 

 I noticed it the first time while starting up the captive portal that just by entering any login information, the icon page was on my management GUI (split second) with the next click.

 

 After the upgrade to 5.2.4 it was new to see records in the event log for continous SSL session close and open to the FortiAnalyzer. 

 

 However by changing the certificate to our star-certificate for the domain, and by using the corresponding correct URL to access the management GUI , the problem with the FortiAnalyzer event log is still there , but I can work comfortably with the GUI. (The SSL session reset probably just is now transparant to me.)

 

 

 I entered this issue with Fortinet support as follows:

 

In FG 5.2.3 and in 5.2.4 the management session disconnects very fast (sometimes after a few seconds) when the FortiAP has been enabled with captive portal It looks totally unrelated. The management connections has been tested from different interfaces, but all of them lose connection. The trigger for this is just someone accepting the disclaimer in the captive portal, or someone trying to log in in the captive portal. The disconnect for the management GUI is instantly. Since 5.2.4 there are event-logs in the Fortigate of session loss and connect to the FortiAnalyzer. First it was thought this was the cause, because of the timing is correlated, but it might be that not only the management console gets disconnected, but also at the same time the FortiAnalyzer. If one works with a non-trusted SSL certificate (mostly the case for management connection to the Fortigate) then one has to pass the several steps to advanced mode in the browser accepting the non-matching certificate. Working with a valid certificate might obscure the session disconnect for the manager. Disabled SSL for FortiAnalyzer, but that didn't help. So the FortiAnalyzer was not the cause but also a victim ???

Bernard_Pauwels

It is not related to Chrome per se. The Chrome and other browsers are stable when a valid certificate (correct name mapped for the used URL) is used. That's at least my experience. 

Bernard_Pauwels

IE is a different story than CHROME. But still I see other unstable behaviour if an unsecured certificate is used.

FortiAdam
Contributor II

There seems to be a recent issue with Chrome and self-signed certificates.  https://www.reddit.com/r/fortinet/comments/3fumsz/chrome_certificate_errors_after_gui_login/

 

If you push [ctrl+shift+i] and then watch the console whilst loading the web gui you might see similar results.

rezendecs
New Contributor

Somebody can solve this issues?

 

   After upgrade to 5.2.X, many of my Fortigates have Web Gui issues.

   The Web Gui disconnect suddenly while I'm working and before the idle timeout configuration.

 

Regards,

Claudio Rezende
Claudio Rezende
Labels
Top Kudoed Authors