Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aguerriero
Contributor II

ZTNA error code 061 after upgrading from 7.2.5 to 7.4.3

I upgraded a firewall from 7.2.5 to 7.4.2 then 7.4.3 following the upgrade path for an 1100E.

Now all users are complaining about randomly getting their sessions dropped. This does not happen on our 7.2.X ztna gateways. 

diag wad user list shows the user has a valid session, clearing the wad user does not do anything.

Disabling the policy that should be matched then re-enabling it allows the user to reconnect sessions for another random duration.


828_636_1.png

7 REPLIES 7
AEK
SuperUser
SuperUser

Which FortiClient version?

AEK
AEK
aguerriero

7.2.1.0779

AEK
SuperUser
SuperUser

I'd suggest first to update FortiClient to 7.2.3 since it fixes some ZTNA related issues.

Ref: https://docs.fortinet.com/document/forticlient/7.2.3/ems-release-notes/429894

If it doesn't help, I'd also suggest to completely remove the related policy and to create it again.

AEK
AEK
aguerriero

Same issue, different error now. It will work for a while then people get kicked out. Trying to sign back in gives this error. Disabling the rule, deleting the rule, deleting the ztna server...

At some random time later, it will work again.


Capturef.PNG




aguerriero

I don't think this is the forticlient since I can go directly to the API gateway in a web browser and the fortigate says that a real server isn't configured with a different error 022.

Capturefdsadsfda.PNG

hbac

Hi @aguerriero,

 

You will need to run wad debug and replicate the issue. You can refer to https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/286458/ztna-troubleshooting-...

 

WAD debug will give a lot of outputs so I suggest opening a ticket for further assistance. 

 

Regards, 

aguerriero

We are going back to 7.2.X. We got stuck in a pinch because 7.2.7 has a known issue for ipsec performance but we had to ugprade becaues of the CVE released. 

We are planning on moving all features that require 7.2 or 7.4, or SSLVPN, to a different hardware vendor.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors