Running 5.4.4 on 500D logging to FAZ VM running 5.6. Using SSLVPN for remote access with FAC MFA. On Monday I upgraded my FAZ from 5.4.X to 5.6. Really like 5.6, but it appears that the FAZ is now opening and closing SSL connections to upload logs every 10 seconds or so. Way more often then before the upgrade.
Yesterday at 11:41PST, my FAZ logged the sslvnpd process crashing on the FG500D, followed by CPU util of 99% and then scanunit process also tanking on the FG. GUI and Console were non-responsive so I performed a hard reboot. Upon reboot it was ok for a few minutes but again went to lack of response on console and GUI until I pulled all NICs. Once all interfaces were down, console started responding.
We have a MSSP's firewall upstream of our FG500 (it sits in transparent mode inline) and I traced the issue to that; at least I thought that was the case. System has been stable since I removed that device.
Just got off the phone with the MSSP and they are monitoring their device over a backup link and indicate no failed NICs, or connection errors.
So I'm wondering if I experienced some sort of memory link caused by the realtime SSL connections between the FAZ and FG500D? My FAZ is connected to the FG via a dedicated VLAN/Ports so wondering if I can disable SSL as it isn't really needed in our environment.
Also wondering if anyone else has seen this issue. I attached a log with some of the applicable events caught by the FAZ.
Update to this. Yesterday I configured a LDAP server on our FG500D (at the time 5.4.4, now 5.4.5) to communicate with FSSO so I could audit user activity and apply some AD groups to policy. I enabled STARTTLS and all appeared fine, but the firewall crashed shortly after I configured this. Console was still live so I rebooted, but I was not able to login to the GUI until I removed all interface cables. After that GUI came up. I configured LDAP for 389 and it has been stable since. This is the second time that it appears some type of SSL race condition had taken down the system. As mentioned above, the last time was after a FAZ upgrade that enabled the SSL encryption between FG and FAZ. After disabling the "Encrypt Logs" option on the FG, it was fine. Running "dia deb crashlog read" showed that a segmentation fault had occured earlier in the day:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.