Hot!FortiOS 5.6.4 is out.

Page: < 12 Showing page 2 of 2
Author
Toshi Esumi
Platinum Member
  • Total Posts : 788
  • Scores: 44
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: FortiOS 5.6.4 is out. 2018/05/05 22:12:29 (permalink)
0
I tried it with 60D by forgetting about our office 60D policies use a zone that includes a physical interface (non-tagged) and multiple VLAN subinterfaces (tagged) after read through the release notes and noticed the caution "all members of the zone would be dropped". Sure enough it did.
After a TT with TAC and some own tests with another test 60D, I decided going back to 5.4.8 for the office 60D. Because only way to restore the zone (original set of policies) with all members is to remove all VLANs on the physical interface and put the phy interface as a sole member of the zone first. Then you can recreate all VLANs I removed then put them in the zone. Not only DHCP servers but some other widgets monitoring usage need to be removed before I can remove VLANs. In the middle trying this process I gave up and decided to wait the next release, 5.6.5. TAC gave me the bug ID but it's not in the "known issues" list in the release notes.
#21
FGTuser
Silver Member
  • Total Posts : 98
  • Scores: 5
  • Reward points: 0
  • Joined: 2013/03/11 12:10:25
  • Status: offline
Re: FortiOS 5.6.4 is out. 2018/05/07 06:33:52 (permalink)
0
Kenundrum
tanr
Did support that said to wait for 5.6.5 give an estimate of when it would be available?

 I opened a ticket regarding a different issue listed on the release notes and got the same response about wait for 5.6.5. When i pressed further, the response I got was that 5.6.5 has no release date estimate.
 

 
At standard release schedule 5.6.5 can take 4-6 months. It would be nice to know if FTNT will release 5.6.5 earlier due to this bug.
Also some bug details would be helpful...
 
 
#22
Frosty
Gold Member
  • Total Posts : 144
  • Scores: 9
  • Reward points: 0
  • Joined: 2010/11/03 15:53:40
  • Status: offline
Re: FortiOS 5.6.4 is out. 2018/05/13 18:13:56 (permalink)
0
Disappointed to hear about the SSL VPN issues with FortiClient.  We rely on that, so cannot upgrade.  We'll be staying on v5.6.2 until further notice, as it has been very stable for our environment.
#23
Adrian Lewis
Gold Member
  • Total Posts : 314
  • Scores: 5
  • Reward points: 0
  • Joined: 2004/03/08 23:17:37
  • Status: offline
Re: FortiOS 5.6.4 is out. 2018/05/15 04:50:22 (permalink)
0
Anyone know any more about this SSL-VPN issue that's been discussed? I see nothing in the release notes (that have been updated a few times since release) and can't find anything in the bug tracker on the support portal. Has anyone managed to get a bug ID from Fortinet on this?
#24
romanr
Platinum Member
  • Total Posts : 903
  • Scores: 24
  • Reward points: 0
  • Joined: 2004/06/08 08:29:56
  • Location: Vienna/Austria
  • Status: offline
Re: FortiOS 5.6.4 is out. 2018/05/15 04:54:44 (permalink)
0
Hi,
 
I was able to have a look into Brunos ticket. And even thugh Bruno has troubles there - there is no confirmed bug about it and support did NOT mention, that it will be fixed in 5.6.5... The support process was not even brought to a qualified end by mid last week...
 
We were not able to reproduce any trouble, but this was only on E series models...
 
Br,
Roman
 
 
#25
Bruno Pereira
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/06/28 10:52:56
  • Location: Brazil
  • Status: offline
Re: FortiOS 5.6.4 is out. 2018/05/15 09:46:19 (permalink)
0
Hello,

I opened a ticket for this vpn ssl bug.
remembering that my model is 600D, I do not know if others are affected.
Support has been able to capture the crash and secondly it will be routed to development.
Any news will inform you.
#26
kurtli_FTNT
Bronze Member
  • Total Posts : 48
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/03/29 15:07:50
  • Status: offline
Re: FortiOS 5.6.4 is out. 2018/05/15 11:59:47 (permalink)
0
Hi Bruno,
    I am not able to reproduce your issue on "FortiGate-600D v5.6.4,build1575,180425 (GA)", tunnel mode with FCT 5.4.2 0860 on win10. So any particular configuration you have and how did you trigger this issue?
 
 
Thanks.
#27
Bruno Pereira
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/06/28 10:52:56
  • Location: Brazil
  • Status: offline
Re: FortiOS 5.6.4 is out. 2018/05/15 13:52:44 (permalink)
0
Hello!
 
My conf:
 
config vpn ssl settings
    set reqclientcert disable
    set tlsv1-0 disable
    set tlsv1-1 disable
    set tlsv1-2 enable
    unset banned-cipher
    set ssl-big-buffer disable
    set ssl-insert-empty-fragment enable
    set https-redirect enable
    set ssl-client-renegotiation disable
    set force-two-factor-auth disable
    set servercertxxxx
    set algorithm high
    set idle-timeout 900
    set auth-timeout 28800
    set login-attempt-limit 2
    set login-block-time 60
    set login-timeout 30
    set dtls-hello-timeout 60
    set tunnel-ip-pools "VPN_SSL_Test" and others
    set dns-suffix xxxx
    set dns-server1 xxxx
    set dns-server2 xxxx
    set wins-server1 0.0.0.0
    set wins-server2 0.0.0.0
    set ipv6-dns-server1 ::
    set ipv6-dns-server2 ::
    set ipv6-wins-server1 ::
    set ipv6-wins-server2 ::
    set route-source-interface enable
    set url-obscuration disable
    set http-compression disable
    set http-only-cookie enable
    set port 443
    set port-precedence enable
    set auto-tunnel-static-route enable
    set header-x-forwarded-for add
    set source-interface xxxx
    set source-address xxx
    set source-address-negate disable
    set source-address6-negate disable
    set default-portal "WEB"
    config authentication-rule
      edit xxx
            set groups "VPN_Test"
            set portal "VPN_Test"
            set realm ''
            set client-cert disable
            set cipher high
            set auth any
        next
 set dtls-tunnel enable
 set check-referer enable
 set http-request-header-timeout 20
 set http-request-body-timeout 30
 
#28
kurtli_FTNT
Bronze Member
  • Total Posts : 48
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/03/29 15:07:50
  • Status: offline
Re: FortiOS 5.6.4 is out. 2018/05/15 14:42:35 (permalink)
0
Sorry, I copied your setting but still not able to reproduce, I guess it's related to other configurations. Below is my ssl vpn setting. I tested with ping/telnet/http/https in tunnel mode, no crash was observed. 
 
Regards
===
config vpn ssl settings
set reqclientcert disable
set tlsv1-0 disable
set tlsv1-1 disable
set tlsv1-2 enable
unset banned-cipher
set ssl-big-buffer disable
set ssl-insert-empty-fragment enable
set https-redirect enable
set ssl-client-renegotiation disable
set force-two-factor-auth disable
set servercert "Fortinet_Factory"
set algorithm high
set idle-timeout 900
set auth-timeout 28800
set login-attempt-limit 2
set login-block-time 60
set login-timeout 30
set dtls-hello-timeout 60
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set dns-suffix ''
set dns-server1 172.16.95.16
set dns-server2 8.8.8.8
set wins-server1 0.0.0.0
set wins-server2 0.0.0.0
set ipv6-dns-server1 ::
set ipv6-dns-server2 ::
set ipv6-wins-server1 ::
set ipv6-wins-server2 ::
set route-source-interface enable
set url-obscuration disable
set http-compression disable
set http-only-cookie enable
set port 10443
set port-precedence enable
set auto-tunnel-static-route enable
set header-x-forwarded-for add
set source-interface "port9"
set source-address "all"
set source-address-negate disable
set source-address6 "all"
set source-address6-negate disable
set default-portal "web-access"
config authentication-rule
edit 1
set groups "kg"
set portal "full-access"
set realm ''
set client-cert disable
set cipher high
set auth any
next
end
set dtls-tunnel enable
set check-referer enable
set http-request-header-timeout 20
set http-request-body-timeout 30
end
===
#29
Bruno Pereira
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/06/28 10:52:56
  • Location: Brazil
  • Status: offline
Re: FortiOS 5.6.4 is out. 2018/05/15 14:53:26 (permalink)
0
Thanks for your help!
 
According to the image, falls occur at random times:
ps: I have on average 50 to 86 users connected daily.
What other configuration could interfere with SSL VPN?
 
 
post edited by Bruno Pereira - 2018/05/15 14:56:51

Attached Image(s)

#30
kurtli_FTNT
Bronze Member
  • Total Posts : 48
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/03/29 15:07:50
  • Status: offline
Re: FortiOS 5.6.4 is out. 2018/05/15 15:18:50 (permalink)
0
Anything in portal setting? And did you enable host-check-software?
 
#31
Bruno Pereira
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/06/28 10:52:56
  • Location: Brazil
  • Status: offline
Re: FortiOS 5.6.4 is out. 2018/05/15 15:26:24 (permalink)
0
No.
My portal:
 
        set tunnel-mode enable
        set ipv6-tunnel-mode disable
        set web-mode enable
        set host-check none
        set limit-user-logins enable
        set mac-addr-check disable
        set os-check disable
        set forticlient-download enable
        set ip-mode range
        set auto-connect disable
        set keep-alive disable
        set save-password disable
        set ip-pools "x"
        set split-tunneling enable
        set split-tunneling-routing-address "x" "x" "x"
        set dns-server1 0.0.0.0
        set dns-server2 0.0.0.0
        set dns-suffix "x"
        set wins-server1 0.0.0.0
        set wins-server2 0.0.0.0
        set display-bookmark enable
--More--                  set user-bookmark disable
        set user-group-bookmark enable
        config bookmark-group
        set display-connection-tools enable
        set display-history disable
        set display-status enable
        set heading "xq"
        set redir-url ''
        set theme blue
        set custom-lang ''
        set smb-ntlmv1-auth disable
        set forticlient-download-method direct
        set customize-forticlient-download-url disable
#32
kurtli_FTNT
Bronze Member
  • Total Posts : 48
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/03/29 15:07:50
  • Status: offline
Re: FortiOS 5.6.4 is out. 2018/05/15 17:53:27 (permalink)
0
Have tried, but still no luck. As you mentioned it occurred occasionally, I will give more test. Thanks.
 
#33
Bruno Pereira
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/06/28 10:52:56
  • Location: Brazil
  • Status: offline
Re: FortiOS 5.6.4 is out. 2018/05/16 04:12:17 (permalink)
0
kurtli_FTNT
Have tried, but still no luck. As you mentioned it occurred occasionally, I will give more test. Thanks.
 


Hello,
You can test web mode also?
#34
AtiT
Gold Member
  • Total Posts : 429
  • Scores: 32
  • Reward points: 0
  • Joined: 2012/04/18 12:13:27
  • Location: Prague / Czech Republic
  • Status: offline
Re: FortiOS 5.6.4 is out. 2018/05/16 06:34:59 (permalink)
0
Hello,
We are experiencing the SSLVPN  signal 11 segmentation fault on FortiGate 600D version 5.6.2 also:
3273: 2018-03-23 12:11:09 <00237> firmware FortiGate-600D v5.6.2,build1486b1486,170816 (GA) (Release)
3274: 2018-03-23 12:11:09 <00237> application sslvpnd
3275: 2018-03-23 12:11:09 <00237> *** signal 11 (Segmentation fault) received ***
3276: 2018-03-23 12:11:09 <00237> Register dump:
3277: 2018-03-23 12:11:09 <00237> RAX: 0000000000000044 RBX: 00007fd639a00018
3278: 2018-03-23 12:11:09 <00237> RCX: 000000000000342d RDX: 00007fd639810100
3279: 2018-03-23 12:11:09 <00237> R8: 00007fd639bfe000 R9: 00007fffb764d710
3280: 2018-03-23 12:11:09 <00237> R10: 0000000000000000 R11: 0000000000000017
3281: 2018-03-23 12:11:09 <00237> R12: 00007fd63980f000 R13: 00007fd63980f698
3282: 2018-03-23 12:11:09 <00237> R14: 00007fd639813ca8 R15: 0000000000000002
3283: 2018-03-23 12:11:09 <00237> RSI: 00007fd639a00018 RDI: 00007fd639810058
3284: 2018-03-23 12:11:09 <00237> RBP: 00007fffb764d8b0 RSP: 00007fffb764d888
3285: 2018-03-23 12:11:09 <00237> RIP: 0000000000000000 EFLAGS: 0000000000010206
3286: 2018-03-23 12:11:09 <00237> CS: 0033 FS: 0000 GS: 0000
3287: 2018-03-23 12:11:09 <00237> Trap: 000000000000000e Error: 0000000000000014
3288: 2018-03-23 12:11:09 <00237> OldMask: 0000000000000000
3289: 2018-03-23 12:11:09 <00237> CR2: 0000000000000000
3290: 2018-03-23 12:11:09 <00237> Backtrace:
3291: 2018-03-23 12:11:09 <00237> [0x00000000]
3292: 2018-03-23 12:11:09 <00237> [0x012864df] => /bin/sslvpnd
3293: 2018-03-23 12:11:09 <00237> [0x012e5f44] => /bin/sslvpnd
3294: 2018-03-23 12:11:09 <00237> [0x012e643b] => /bin/sslvpnd
3295: 2018-03-23 12:11:09 <00237> [0x012e73ef] => /bin/sslvpnd
3296: 2018-03-23 12:11:09 <00237> [0x012e849d] => /bin/sslvpnd
3297: 2018-03-23 12:11:09 <00237> [0x012e872b] => /bin/sslvpnd
3298: 2018-03-23 12:11:09 <00237> [0x012e8c72] => /bin/sslvpnd
3299: 2018-03-23 12:11:09 <00237> [0x0042a4e0] => /bin/sslvpnd
3300: 2018-03-23 12:11:09 <00237> [0x00430bc4] => /bin/sslvpnd
3301: 2018-03-23 12:11:09 <00237> [0x0042e11c] => /bin/sslvpnd
3302: 2018-03-23 12:11:09 <00237> [0x0042fe31] => /bin/sslvpnd
3303: 2018-03-23 12:11:09 <00237> [0x00430771] => /bin/sslvpnd
3304: 2018-03-23 12:11:09 <00237> [0x7fd63dbea475] => /fortidev4-x86_64/lib/libc.so.6
3305: 2018-03-23 12:11:09 (__libc_start_main+0x000000f5) liboffset 00021475
Crash log interval is 3600 seconds
sslvpnd crashed 3 times. The lastest crash was at 2018-03-23 13:11:09
 
 
It seems that the problem is present on FortiGate 500E version 5.6.3 also:
 
292: 2018-04-24 09:20:00 sslvpnd crashed 7 times. The last crash was at 2018-04-24 08:20:00
293: 2018-04-24 09:20:00 <18332> firmware FortiGate-500E v5.6.3,build1547b1547,171204 (GA) (Release)
294: 2018-04-24 09:20:00 <18332> application sslvpnd
295: 2018-04-24 09:20:00 <18332> *** signal 11 (Segmentation fault) received ***
296: 2018-04-24 09:20:00 <18332> Register dump:
297: 2018-04-24 09:20:00 <18332> RAX: 0000000000000044 RBX: 00007fb478d6d018
298: 2018-04-24 09:20:00 <18332> RCX: 0000000000003485 RDX: 00007fb478d57500
299: 2018-04-24 09:20:00 <18332> R8: 00007fb478068000 R9: 00007fff13584520
300: 2018-04-24 09:20:00 <18332> R10: 0000000000000000 R11: 0000000000000016
301: 2018-04-24 09:20:00 <18332> R12: 00007fb478d56400 R13: 00007fb478d56a98
302: 2018-04-24 09:20:00 <18332> R14: 00007fb478d5bca8 R15: 0000000000000002
303: 2018-04-24 09:20:00 <18332> RSI: 00007fb478d6d018 RDI: 00007fb478d57458
304: 2018-04-24 09:20:00 <18332> RBP: 00007fff135846c0 RSP: 00007fff13584698
305: 2018-04-24 09:20:00 <18332> RIP: 0000000000000000 EFLAGS: 0000000000010206
306: 2018-04-24 09:20:00 <18332> CS: 0033 FS: 0000 GS: 0000
307: 2018-04-24 09:20:00 <18332> Trap: 000000000000000e Error: 0000000000000014
308: 2018-04-24 09:20:00 <18332> OldMask: 0000000000000000
309: 2018-04-24 09:20:00 <18332> CR2: 0000000000000000
310: 2018-04-24 09:20:00 <18332> Backtrace:
311: 2018-04-24 09:20:00 <18332> [0x00000000]
312: 2018-04-24 09:20:00 <18332> [0x0120b84f] => /bin/sslvpnd
313: 2018-04-24 09:20:00 <18332> [0x0126c274] => /bin/sslvpnd
314: 2018-04-24 09:20:00 <18332> [0x0126c76b] => /bin/sslvpnd
315: 2018-04-24 09:20:00 <18332> [0x0126d70f] => /bin/sslvpnd
316: 2018-04-24 09:20:00 <18332> [0x0126e7bd] => /bin/sslvpnd
317: 2018-04-24 09:20:00 <18332> [0x0126ea4b] => /bin/sslvpnd
318: 2018-04-24 09:20:00 <18332> [0x0126f684] => /bin/sslvpnd
319: 2018-04-24 09:20:00 <18332> [0x0042af20] => /bin/sslvpnd
320: 2018-04-24 09:20:00 <18332> [0x00431654] => /bin/sslvpnd
321: 2018-04-24 09:20:00 <18332> [0x0042eb5c] => /bin/sslvpnd
322: 2018-04-24 09:20:00 <18332> [0x00430851] => /bin/sslvpnd
323: 2018-04-24 09:20:00 <18332> [0x004311f9] => /bin/sslvpnd
324: 2018-04-24 09:20:00 <18332> [0x7fb47d5e6475] => /fortidev4-x86_64/lib/libc.so.6
325: 2018-04-24 09:20:00 (__libc_start_main+0x000000f5) liboffset 00021475
 

AtiT
--------------------
NSE 8, CCNP R+S
#35
Bruno Pereira
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/06/28 10:52:56
  • Location: Brazil
  • Status: offline
Re: FortiOS 5.6.4 is out. 2018/05/16 07:26:32 (permalink)
0
I have a dream that one day Fortinet will release a version with the least awful bugs.
I had to upgrade due to crash in ips engine, wad and was and now the crash passed to vpnssl.
 
Support today:
Good Afternoon,
The case is being reported, I will let you know as soon as I have further information.
 
 
#36
Page: < 12 Showing page 2 of 2
Jump to:
© 2018 APG vNext Commercial Version 5.5