Is there an ETA as to when 5.4.1 is going to drop? I have a brand new 300D that I am waiting to put into production as soon as 5.4.1 is ready.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
by end of next week (April 15)
That amount of clashes is nothing to worry about I'd say. On the LB-vdom I mentioned earlier the log shows 6-digit amounts of clashes. The clash counter is reset at reboot btw, and is not related to the current amount of sessions. It is just an ongoing counter.
To my knowledge, all restarts of applications with restart option 11 (segmentation fault) in FortiOS is seen as a crash. It doesn't have to mean anything bad per se. The OS recycles processes all the time using option 15 (graceful restart). When that doesn't work, it moves on to try to restart with option 11 wich will generate a log entry in the syslog. The recycle process continues all the time, buffers needs to be cleared etc etc. However, a constant restarting of the same application can also mean various problems - Memory leaks, buffer overflows etc.
I checked your log, but I can't see anything else then the PID and some weird ASCII-signs as application name. It does look kinda odd.
Check your logs and keep track of if the application crash log entries correlates with odd behaviour in the firewall, we're talking sudden reboots, functions and features stopping/not working.
What does "diagnose debug crashlog read" say?
Also, do a "diagnose sys top", a few times during the day. Do you have processes in Z or D state?
Richie
NSE7
80D confirmed bug with 5.4.1 vlan tags do not work correctly. Instructed to fix requires format and tftp image back on. have not tried yet.
@borderland: Can you describe the issue you are seeing with 5.4.1 and vlan tags?
tanr wrote:Well in short vLANs do not work at all after the update. They have confirmed it a bug and added it to the updated release notes today.@borderland: Can you describe the issue you are seeing with 5.4.1 and vlan tags?
"FG-80D and VLAN Interfaces
Customers with 80D units and VLAN interfaces should not upgrade to 5.4.1. Moreover, in order to restore functionality of the VLAN interfaces, it is not enough to just boot from the original partition as found in QA testing and experienced in the field. It is necessary to format flash and reload the image."
Ouch. Hope they can get a patch out for that.
Hi all
today was released a new release notes addressing the 60D issue. It confirms for me again following:
--> Do not use a brand new release for FGT until approx patch 4 - 5 specially as long as in the Whats-New document new features are added.
Following was noted in the new release notes:
Model-60 D Boot Issue
The following 60D models have an issue upon upgrading to FortiOS 5.4.1. The second disk (flash) is unformatted
and results in the /var/log/ directory being mounted to an incorrect partition used exclusively for storing the
firmware image and booting.
[LEFT][size="2"]FG-60D-POE[/size][/LEFT][LEFT][size="2"]FG-60D[/size][/LEFT][LEFT][size="2"]FWF-60D-POE[/size][/LEFT]
[size="2"]FWF-60D[/size]
To fix the problem, follow these steps. If you have not upgraded yet, you only need to perform step 6, otherwise
start with step 1.
[LEFT]1. [size="2"]Backup your configuration.[/size][/LEFT][LEFT]2. [size="2"]Connect to the console port of the FortiGate device.[/size][/LEFT][LEFT]3. [size="2"]Reboot the system and enter the BIOS menu.[/size][/LEFT][LEFT]4. [size="2"]Format the boot device.[/size][/LEFT][LEFT]5. [size="2"]Burn the firmware image to the primary boot device.[/size][/LEFT][LEFT]6. [size="2"]Once the system finishes rebooting, from the CLI run "execute disk format 16". This will format the second flash [/size]disk.[/LEFT]
7. [size="2"]Restore your configuration[/size]
[size="2"]have fun...[/size]
[size="2"]Andrea[/size]
Hi there,
I tried to Upgrade from 5.2.7 to 5.4.1 -> Didn't work. My mgmt interface wasn't reachable
Tried first to upgrade to 5.4.0, same problem. Any ideas ?
Using a 140D. Here's the part of the interface config. I'm using the mgmt Interface as internal.
edit "mgmt" set vdom "root" set ip 10.0.1.1 255.255.0.0 set allowaccess ping https ssh fgfm capwap set broadcast-forward enable set vlanforward enable set type physical set explicit-web-proxy enable set explicit-ftp-proxy enable set device-identification enable set snmp-index 6 set secondary-IP enable config secondaryip edit 2 set ip 10.0.0.1 255.255.0.0 set allowaccess ping next end next
Hi Matze,
We tried to reproduce the issue with 140D and your config, failed to reproduce. If you still can see the issue, could you please send the config file and "get sys status" to beta@fortinet.com ? Thanks.
So unfortunate that 5.4.1 doesn't appear to be more stable. I have a two 500Ds. One testing, one production. We upgraded to 5.4.0 after much testing in March. We are not using Spam filter, HA or VLANs. Traditional firewalling, but we do use almost all scanning services, DPI, DLP, IPS, IDS, AV, VIPs. Was rock solid until about two weeks ago, the firewall randomly dropped to kernel conserve mode (of course right in the middle of a big meeting!!!). Fortinet didn't have an answer and I sent them lots of logs and configs. I'm not sure but it really appears that this happened after AV engine or definition update. I've been using scheduled reboots nightly to mitigate and tested 5.4.1 on our backup device but have not put it under load yet.
Today the problem occurred again:
16:16:14 Performance statistics: average CPU: 0, memory: 33, concurrent sessions: 2568, setup-rate: 29 16:21:14 Performance statistics: average CPU: 69, memory: 81, concurrent sessions: 2227, setup-rate: 29 16:21:21 The system has activated session fail mode, Scan services session failed 16:21:32 Kernel enters conserve mode
Ticket Number: 1787724
Only a hard power reset is able to get things flowing again. Of course it then complains that it wasn't shutdown properly and wants to do a disc check. SNMP monitor shows CPU and mem spike to >70% which halts system. Sessions are staying constant at <4K at peak, 1.8K minimum.
I'd like to turn on SYSLOG or see if I can increase what is being logged to the FAZ we use but not finding easily the right info on how to do that. I can find the CLI with all of the commands but info on how to configure filters is limited.
My 1000c has extreme problems with FortiOS 5.4.1, the SSL scan engine is very unstable. All ssl connections on policies with ssl inspection does not working after one hour, i need an full reboot for work again for one hour.
The support says the IPS engine is the problem, ok the IPS engine crash permanently, but that is not the worst problem ;)
Did you try to restart some services like :
diag test application sslacceptor 99 diag test application sslworker 99
2 FGT 100D + FTK200
3 FGT 60E FAZ VM some FAP 210B/221C/223C/321C/421E
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.