Fortigate 60D cant upgrade

sunmark · ‎06-25-2019

Hi all,

We are currently facing an issue with upgrading the firmware to a recent firmware. Currently, the Firewall is running FortiOS v5.4.10 build1220 (GA). Using the upgrade path tool, I need to do the following;

VersionBuild Number5.4.1012205.6.916736.0.50268

So, as usual, I upload at the firmware then select FGT_60D-v5-build1673-FORTINET.out and then the firewall appeared to hang ('rebooting screen for 40+ minutes - excluding time to actually do the backup, firmware upload, etc). The firewall had to be manually restarted after 1+ hour of waiting for a response.

What can I do as its happening for 3 times now?

Thank you.

Dave_Hall · ‎06-26-2019

Hi Sunmark.

As long as you can see the console output, the fgt should display what is wrong during the boot sequence.

If you make it to the login prompt, sign-in with your admin login then perform the following commands:

diag debug crashlog read get system startup-error-log

If the fgt crashed during or from an upgrade process, using the following commands to see what was messed up during the upgrade process:

diagnose debug config-error-log read

If the fgt doesn't get that far into the boot process to give you a login prompt, but does display the boot menu, you could try breaking into the boot menu (at the press any key prompt) and try booting from "backup firmware". Though, personally if you are at this stage, I do hope you have at least a backup copy of the config file to be able to restore to in the event you do need to reformat the boot device and restore a firmware image.

If you are not sure what to do, you could always post your console output here for follow up feedback.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

Toshi_Esumi · ‎06-25-2019

You need to keep watching at console output (and save it to open a TAC case) when you upgrade FortiOS. Otherwise you're missing the most crucial information you need when the upgrade fails like your case. I'm almost sure the answer you're looking for was in the output.

sunmark · ‎06-25-2019

Hello Toshi,

Thank you for your reply.

Would you be able to direct me to a post/KB on how to do this? I'm fairly new here and previous firmware upgrades were very smooth and didn't require console yet.

Thank you

Alexis_G · ‎06-25-2019

what is the FortiOS version you wish to go ?

Latest 5.4 ?

5.6 ?

what upgrade path you followed ?

--------------------------------------------

If all else fails, use the force !

sunmark · ‎06-25-2019

Hello jklapas,

I would be interested to upgrade to 6.0.4 at least. According to the upgrade path, I'd need to follow the below path;

1) 5.6.9 1673

2) 6.0.4 0231

Alexis_G · ‎06-26-2019

backup current config

then upgrade first to latest 5.4

backup current config

then jump to 5.6 base

backup current config

Goto latest 5.6

If I where you i would stay there!!!

6.x.x is not yet mature for production I would say...

--------------------------------------------

If all else fails, use the force !

sunmark · ‎06-26-2019

since the current version is on 5.4.10 would you be suggesting me to update to 5.4.11 then if that is successful I shall upgrade it to 5.6.0 and then the last upgrade it to 5.6.9?

As for stability, I shall stay at 5.6.9 if all the previous ones turn to be a success.

sw2090 · ‎06-25-2019

@sunmark: the best way would be to connect a console cable to the console port. This is the only cli connection that would not stop even if the FGT reboots or hangs at bootloader etc.

SSH/Telnet will only work once the system is up and as long as it is up.

You could use any standard console cable with RJ45 conector on one end. HP Switch Console Cables work as well as the Fortinet ones. APC or Cisco will not work due the different pinout. Then you nbeed either a serial port to connect this with your PC (Or if you don't have a physical serial port you need usb to serial converter).

With ssh/telnet you would not be able to see the output during firmware upgrade and reboot afterwards.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

sunmark · ‎06-26-2019

Hi sw2090, thank you for your post on getting connected using the console. I have found the console cable from the fortigate fw box and then have got myself a usb to serial converter cable.

Is there any guidelines or documentation on how to check for the output?

Dave_Hall · ‎06-26-2019

Hi Sunmark.

As long as you can see the console output, the fgt should display what is wrong during the boot sequence.

If you make it to the login prompt, sign-in with your admin login then perform the following commands:

diag debug crashlog read get system startup-error-log

If the fgt crashed during or from an upgrade process, using the following commands to see what was messed up during the upgrade process:

diagnose debug config-error-log read

If the fgt doesn't get that far into the boot process to give you a login prompt, but does display the boot menu, you could try breaking into the boot menu (at the press any key prompt) and try booting from "backup firmware". Though, personally if you are at this stage, I do hope you have at least a backup copy of the config file to be able to restore to in the event you do need to reformat the boot device and restore a firmware image.

If you are not sure what to do, you could always post your console output here for follow up feedback.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C