Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aguerriero
Contributor II

Created on ‎02-20-2024 03:21 PM Edited on ‎02-20-2024 03:21 PM

ZTNA error code 061 after upgrading from 7.2.5 to 7.4.3

I upgraded a firewall from 7.2.5 to 7.4.2 then 7.4.3 following the upgrade path for an 1100E.

Now all users are complaining about randomly getting their sessions dropped. This does not happen on our 7.2.X ztna gateways. 

diag wad user list shows the user has a valid session, clearing the wad user does not do anything.

Disabling the policy that should be matched then re-enabling it allows the user to reconnect sessions for another random duration.


828_636_1.png

Labels:
374
0 Kudos
7 REPLIES 7
AEK
SuperUser
SuperUser

Created on ‎02-20-2024 03:32 PM

Which FortiClient version?

AEK
AEK
368
0 Kudos
aguerriero
Contributor II
In response to AEK

Created on ‎02-20-2024 03:42 PM

7.2.1.0779

365
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎02-20-2024 03:51 PM

I'd suggest first to update FortiClient to 7.2.3 since it fixes some ZTNA related issues.

Ref: https://docs.fortinet.com/document/forticlient/7.2.3/ems-release-notes/429894

If it doesn't help, I'd also suggest to completely remove the related policy and to create it again.

AEK
AEK
363
aguerriero
Contributor II
In response to AEK

Created on ‎02-22-2024 11:02 AM Edited on ‎02-22-2024 11:23 AM

Same issue, different error now. It will work for a while then people get kicked out. Trying to sign back in gives this error. Disabling the rule, deleting the rule, deleting the ztna server...

At some random time later, it will work again.


Capturef.PNG




303
0 Kudos
aguerriero
Contributor II
In response to aguerriero

Created on ‎02-22-2024 11:18 AM Edited on ‎02-22-2024 11:29 AM

I don't think this is the forticlient since I can go directly to the API gateway in a web browser and the fortigate says that a real server isn't configured with a different error 022.

Capturefdsadsfda.PNG

297
0 Kudos
hbac
Staff
Staff
In response to aguerriero

Created on ‎02-23-2024 08:04 AM

Hi @aguerriero,

 

You will need to run wad debug and replicate the issue. You can refer to https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/286458/ztna-troubleshooting-...

 

WAD debug will give a lot of outputs so I suggest opening a ticket for further assistance. 

 

Regards, 

278
aguerriero
Contributor II
In response to hbac

Created on ‎03-01-2024 05:14 PM Edited on ‎03-01-2024 05:15 PM

We are going back to 7.2.X. We got stuck in a pinch because 7.2.7 has a known issue for ipsec performance but we had to ugprade becaues of the CVE released. 

We are planning on moving all features that require 7.2 or 7.4, or SSLVPN, to a different hardware vendor.

183
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.