- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Strange behavior of FG-300D and FortiOs 5.4
Hi!
Guys, I got some problems with new firmware. I use fg300d with FO 5,4. There is configured dial-in ipsec. Everything worked fine until now. All tunnels are hung up. All services are blocked except port forwarding so i could connect to putty's serial console. There are a lot of messages such as "unregister_netdevice: waiting for IPSec NAT_6 to become free. Usage count = 1".
I event cant execute reboot. System just wrote that it is going to reboot bye-bye - and just continue to posts that error messages about netdevice. FG is situated in the data center, so i unable just to switch off and on it...
I'm just in a jam... any help is highly appreciated... Thanks!
Solved! Go to Solution.
- Labels:
-
5.4
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's a bug in 5.4.0. I have a long thread about this happening on my 1500D's that are in HA. You can't use IPSec VPN Dialup right now; use SSL only. Until they fix the bug in 5.4.1.
Note: Exact same IPSec error messages we were seeing. Escalated to level 3 support which confirmed the bug.
Edit: Technically it happens anytime you *remove* an interface. When a user disconnects from IPSec VPN Dialup it removes an interface and the bug surfaces. So don't use IPSec VPN Dialup and don't remove interfaces for now (yeah I know...)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update. After power recycle everithing looks good.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fuf... problem is back...
again cant get into web interface and planty off warnings:
unregister_netdevice: waiting for IPSec NAT_6 to become free. Usage count = 2 unregister_netdevice: waiting for IPSec NAT_3 to become free. Usage count = 4 unregister_netdevice: waiting for IPSec NAT_1 to become free. Usage count = 18 unregister_netdevice: waiting for IPSec NAT_6 to become free. Usage count = 2 unregister_netdevice: waiting for IPSec NAT_3 to become free. Usage count = 4 unregister_netdevice: waiting for IPSec NAT_1 to become free. Usage count = 18
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Open a ticket with TAC or downgrade from off FortiOS 5.4.
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, guys! I came back to 5.2.5 and all issues are gone. By the way! Didnt do anything with 5.4 configuration, just formatted log disk. And all seems to be ok. No more errors, everything is just fine. Be carefull with 5.4 and happy new year!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You sir are a truly daring person loading a brand new release from FortiNet!!
300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track.
Over 100 WiFi AP's and growing.
FAZ-200D
FAC-VM 2 node cluster
Friends don't let friends FWF!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If not us, then who. If not me and you. Right now, it's time for us to do something. If not now, then when. Will we see an end.)))
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Maxim. We do need customer's help like what you did, very appreciate.
We also found the same issue just on the day of GA release. Both Dev and QA worked hard on this and we thought the root cause was identified since with dev image this issue was not happened again for around 24 hours. We are still testing internally.
Before it's fixed in next patch, for now you can try work around in either of below:
1. disable npu-offload in IPsec phase1 interface
2. "set auto-asic-offload disable" in policy (for dial-up IPsec)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a classical problem for stuff built upon linux-based networking.
Others have similar problems too (proof: look for "to become free" in the linked page)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content