Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Maxim_Vanichkin
New Contributor II

Created on ‎12-24-2015 10:25 AM

Strange behavior of FG-300D and FortiOs 5.4

Hi!

 

Guys, I got some problems with new firmware. I use fg300d with FO 5,4. There is configured dial-in ipsec. Everything worked fine until now. All tunnels are hung up. All services are blocked except port forwarding so i could connect to putty's serial console. There are a lot of messages such as "unregister_netdevice: waiting for IPSec NAT_6 to become free. Usage count = 1". 

 

I event cant execute reboot. System just wrote that it is going to reboot bye-bye - and just continue to posts that error messages about netdevice. FG is situated in the data center, so i unable just to switch off and on it... 

 

I'm just in a jam... any help is highly appreciated... Thanks!

 

Labels:
15464
0 Kudos
1 Solution
cpetry
New Contributor III

Created on ‎04-12-2016 10:52 AM

It's a bug in 5.4.0.  I have a long thread about this happening on my 1500D's that are in HA.  You can't use IPSec VPN Dialup right now; use SSL only.  Until they fix the bug in 5.4.1.

 

Note: Exact same IPSec error messages we were seeing.  Escalated to level 3 support which confirmed the bug.

 

Edit: Technically it happens anytime you *remove* an interface.  When a user disconnects from IPSec VPN Dialup it removes an interface and the bug surfaces.  So don't use IPSec VPN Dialup and don't remove interfaces for now (yeah I know...)

View solution in original post

5939
0 Kudos
17 REPLIES 17
Maxim_Vanichkin
New Contributor II

Created on ‎12-24-2015 09:17 PM

Update. After power recycle everithing looks good.

3331
0 Kudos
Maxim_Vanichkin
New Contributor II

Created on ‎12-25-2015 01:42 AM

fuf... problem is back...

again cant get into web interface and planty off warnings:

unregister_netdevice: waiting for IPSec NAT_6 to become free. Usage count = 2 unregister_netdevice: waiting for IPSec NAT_3 to become free. Usage count = 4 unregister_netdevice: waiting for IPSec NAT_1 to become free. Usage count = 18 unregister_netdevice: waiting for IPSec NAT_6 to become free. Usage count = 2 unregister_netdevice: waiting for IPSec NAT_3 to become free. Usage count = 4 unregister_netdevice: waiting for IPSec NAT_1 to become free. Usage count = 18

3331
0 Kudos
emnoc
Esteemed Contributor III
In response to Maxim_Vanichkin

Created on ‎12-26-2015 12:32 AM

Open a ticket with TAC or downgrade from off FortiOS  5.4.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3331
0 Kudos
Maxim_Vanichkin
New Contributor II
In response to Maxim_Vanichkin

Created on ‎12-29-2015 11:24 PM

Ok, guys! I came back to 5.2.5 and all issues are gone. By the way! Didnt do anything with 5.4 configuration, just formatted log disk. And all seems to be ok. No more errors, everything is just fine. Be carefull with 5.4 and happy new year!

3331
0 Kudos
bartman10
Contributor
In response to Maxim_Vanichkin

Created on ‎01-04-2016 06:11 PM

You sir are a truly daring person loading a brand new release from FortiNet!! 

300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track.

Over 100 WiFi AP's and growing.

FAZ-200D

FAC-VM 2 node cluster

Friends don't let friends FWF!

300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track. Over 100 WiFi AP's and growing. FAZ-200D FAC-VM 2 node cluster Friends don't let friends FWF!
3331
0 Kudos
Maxim_Vanichkin
New Contributor II
In response to bartman10

Created on ‎01-04-2016 07:17 PM

If not us, then who. If not me and you. Right now, it's time for us to do something. If not now, then when. Will we see an end.)))

3332
0 Kudos
qxu_FTNT
Staff
Staff
In response to Maxim_Vanichkin

Created on ‎01-08-2016 05:58 PM

Thank you Maxim. We do need customer's help like what you did, very appreciate.

 

We also found the same issue just on the day of GA release. Both Dev and QA worked hard on this and we thought the root cause was identified since with dev image this issue was not happened again for around 24 hours. We are still testing internally.

 

Before it's fixed in next patch, for now you can try work around in either of below:

 

1. disable npu-offload in IPsec phase1 interface

2. "set auto-asic-offload disable" in policy (for dial-up IPsec) 

 

3332
0 Kudos
jmlux
New Contributor III
In response to qxu_FTNT

Created on ‎01-09-2016 04:16 AM

This is a classical problem for stuff built upon linux-based networking.

Others have similar problems too (proof: look for "to become free" in the linked page)

 

3332
0 Kudos
netmin
Contributor II
In response to jmlux

Created on ‎01-09-2016 05:57 AM

Indeed...

 

https://patchwork.ozlabs.org/patch/500872/

 

https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.54

 

3331
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.