6.2.0 to 6.2.1 experience

BrianB · ‎07-21-2019

A month ago I went into production with two 1500D’s (HA A/P), two 1048D’s with MC-LAG as distributions, forty-one 448D-POE’s, and one 424D. All gear was running 6.2.0. Using Fortilink with loops. I encountered the memory leak issue related to the wad process on 6.2.0. Even with two automation stitches to restart the wad process twice daily, I still had two outages that were cause when memory leaked above 80% and cause conserve mode to kick in. Needless to say I was anxious to upgrade to 6.2.1 so I could sleep at night. Last night I successfully upgraded all components to 6.2.1. All went smooth with the exception of one 448D that didn’t come back online after rebooting. A second reboot brought it back online. The most switches I upgraded at once was 8. A very welcome enhancement is that on 6.2.1 it now only takes about 6-7 seconds to completely draw out and display all 44 switches when managing via the GUI. On 6.2.0 it took about 30 seconds to load everything. So far memory has not crept back up. It has been holding at 44% since the upgrade, but it’s only been 24 hours and it’s the weekend so not much load right now. I’ll find out more tomorrow when people come back to work but so far, the memory leak issues appear to be fixed. I’ll update the post if I hit any issues. Just wanted to share in case anyone is in a similar situation.

BrianB · ‎07-22-2019

48 hours into 6.2.1 and memory has not gone over 50% with a normal business day load on the network.

bmduncan34 · ‎07-28-2019

I'm in the process of deploying a similar configuration, except I went with a pair of 601E's in HA, a pair of 1048E's in distribution (mclag icl), and 31 448D FPOE switches. I'm interested in how you are deploying your access loops for your 44 switches. I presume those are broken among several IDF closets. Can you explain how you cabled them? I know Fortilink will automatically discover them, but what did you do with the cabling? Say you have a stack of five in a closet - with one 10G fibre on the top switch landing on one 1048, and one 10G fibre on the bottom switch terminating on the second 1048, and each of the five switches ISL'd to each other over 10G. Will both those home-runs back to the 1048's be active, or is one in standby mode? Will Fortilink just detected the connections and make the best choice for configuration? About the Fortilink - is it in split interface mode or is that disabled?

Last question - you went with a honking huge model of gate (1500D). Are you expecting a lot of growth? Will you be deploying FortiAP's too? And what about FortiClients?

I know, lots of questions and not really related to your post. Any input appreciated. Thanks.

BrianB · ‎07-30-2019

That is correct. I have my top switch going to one of my 1048's and the bottom switch going to the other 1048. I am using DAC's to link the switches within each IDF. When I was originally configuring the MC-LAG between the 1048's, one of the steps was to disable Fortilink Split Interface, so I am assuming that both connections in the loops are active, although maybe one has a preference. I am running two 10GB connections between the 1048's for 20GB.

We tested our design's redundancy before we went into production. We simulated losing a 1500, then a 1048, the some of the 448's within the loops and everything worked as expected. The Gates are running Active/Passive.

I followed the guide at https://cookbook.fortinet.com/enterprise-secure-access/. I don't know if I missed an email or something but I have not been able to access cookbook.fortinet.com in the last few weeks.

jamesmeuli · ‎07-30-2019

Upgraded my lab on the weekend. 2x501, 2x1024, 2x248, many x321e. Upgrades were all successful and things looking good so far. Really liking the GUI enhancements. -edit- went straight from 6.0.6 not 6.2.0