Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
thalaivarda
New Contributor

Upgrade from 5.4.4 to 6.0.5

Have two FGT-500D, broke HA, and upgraded one firewall. Took 5 mins downtime, and moved the links to 6.0.5 Firewall. Internet didnt work on systems. Not able to ping 8.8.8.8.. If i ping from my core switch with the same source vlan, it pings. Strange. i moved back all the links to 5.4.4 firewall. What could be the issue? I have 3 internet links, after upgrade i moved one isp and used a spare 6509 switch to test internet and tunnels and everything worked fine.
5 REPLIES 5
hubertzw
Contributor III

Did you follow the recommended upgrade path?

The unit with 6.0.5 - can you ping your own interface? can you ping your core switch? Do you see any session on it?

I'm not sure how the 3 Internet links are connected? Did you move all of them to the upgraded unit?

thalaivarda

Follwed the recommended path. The 3 isp are terminated on the interface directly. Before going live, i tried with 1 isp and everything worked fine. The difference between the working setup and non working setup on 6.0.5 was 3 isps and core switch.. i used a spare 6509 switch as core while testing, for going live, i had to switch to my actual core, 4507.
m84_2019
New Contributor

Can you explain a bit more? You said the internet doesn't work on systems yet you can ping 8.8.8.8 from the core switch, is that correct? Same VLAN as the systems? Did you clear the ARP cache for one of the systems?

 

I recently upgraded three firewalls from 5.4.4 to 6.2.0, no issues spotted.

danielklein
New Contributor

Hi,

Did you follow the upgrade path? Since there is a big gap between the versions, configuration syntax might be different.

The path supposed to be: 5.4.4 1117>>5.6.2 1486>>5.6.6 1630>>6.0.4 0231>>6.0.5 0268

 

BR

Grave_Rose

Hey thalaivarda,

 

There's a lot of good information in this thread already but I thought I'd add a bit more to try and help you out. First, we need to figure out what's happening on the FortiGate directly. You said that you can't ping anything from the 'Gate directly. Check your routing tables with "get router info routing-table all" and ensure you have a default gateway on (at least) one of your ISP links (Example: "0.0.0.0/0 [1/0] via 1.1.1.1, wan1 10/0"). If you don't have a default gateway, you'll need to add one in.

 

Which brings us to our next item. Assuming you have a default gateway, you have three ISP links. Do you have one default gateway or three? Which route has the better preference or are they all equal? Can you post the output of "get router info routing-table all" to the thread so we can see what should be happening to your packets? Is it possible to delete two default gateways to force traffic out one ISP for testing?

 

Lastly, I would connect to the device with two SSH sessions; On the first, run your ping test to 8.8.8.8 and on the second, run a packet capture to see what's happening on the wire (diagnose sniffer packet wan1 '(host 8.8.8.8 and icmp) or arp' 6 10) and see if the packets are leaving or if you may have a Layer-2 issue with ARP.

 

Speaking of ARP, one other last thing... :) Can you paste the output of "get system arp" to the thread and let us know what your upstream ISP router IP addresses are?

 

Hope this helps,

 

Sean (Gr@ve_Rose)

Site: https://tcpdump101.com Twitter: https://twitter.com/Grave_Rose Reddit: https://reddit.com/r/tcpdump101 Discord: https://discordapp.com/invite/2MZCqn6
Labels
Top Kudoed Authors