Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aguerriero
Contributor III

ZTNA error code 061 after upgrading from 7.2.5 to 7.4.3

I upgraded a firewall from 7.2.5 to 7.4.2 then 7.4.3 following the upgrade path for an 1100E.

Now all users are complaining about randomly getting their sessions dropped. This does not happen on our 7.2.X ztna gateways. 

diag wad user list shows the user has a valid session, clearing the wad user does not do anything.

Disabling the policy that should be matched then re-enabling it allows the user to reconnect sessions for another random duration.


828_636_1.png

24825
24825
7 REPLIES 7
AEK
SuperUser
SuperUser

Which FortiClient version?

AEK
AEK
aguerriero
Contributor III

7.2.1.0779

24825
24825
AEK
SuperUser
SuperUser

I'd suggest first to update FortiClient to 7.2.3 since it fixes some ZTNA related issues.

Ref: https://docs.fortinet.com/document/forticlient/7.2.3/ems-release-notes/429894

If it doesn't help, I'd also suggest to completely remove the related policy and to create it again.

AEK
AEK
aguerriero
Contributor III

Same issue, different error now. It will work for a while then people get kicked out. Trying to sign back in gives this error. Disabling the rule, deleting the rule, deleting the ztna server...

At some random time later, it will work again.


Capturef.PNG




24825
24825
aguerriero

I don't think this is the forticlient since I can go directly to the API gateway in a web browser and the fortigate says that a real server isn't configured with a different error 022.

Capturefdsadsfda.PNG

24825
24825
hbac

Hi @aguerriero,

 

You will need to run wad debug and replicate the issue. You can refer to https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/286458/ztna-troubleshooting-...

 

WAD debug will give a lot of outputs so I suggest opening a ticket for further assistance. 

 

Regards, 

aguerriero

We are going back to 7.2.X. We got stuck in a pinch because 7.2.7 has a known issue for ipsec performance but we had to ugprade becaues of the CVE released. 

We are planning on moving all features that require 7.2 or 7.4, or SSLVPN, to a different hardware vendor.

24825
24825
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors