- Netflix becomes unreachable at random intervals
- Shoutcast streaming radio stations on a Sonos audio system become unreachable
So while there is now a 4.0 MR2 release for the 60C I would still hold off as it seems there are problems with the platform itself.
Hmm, we are using the 60C since the first day the MR2 P2 is out. It's configured with lots of IPsec tunnels, VLANs, SSL VPN and some UTM-features like AV, Webfilter and IDP. We hardly have any problems, everything seems fine. Interesting to read about your issues.
ReplyDeleteWere you on a PPPoE WAN connection by chance?
ReplyDeleteNegatory
ReplyDeleteI was speculating a UDP session issue related to interface resets, but I suppose not. However your description still implies some sort of UDP handling problem, at least that's my initial impression.
ReplyDeleteOne of my customers installed MR2P2 on its FG110C. Probably that something broke in IPSec becuase since then, iPhone/iPads can no longer connect thru IPSec VPN on that box.
ReplyDeleteMR2P1 works fine on another equipment with the same IPSec config though.
A case is opened with Fortinet, I'll see how it will turn out.
If you're interested, I could keep you posted on the outcome.
Please do.
ReplyDeleteWe have the same issue David is having with the VPN. We are also working with support, but nothing to report yet.
ReplyDeleteAs it turned out, our customer has more than one "main mode" phase1 IPSec policy in a dial-in configuration and that I've been told is why this thing is now failing.
ReplyDeleteIndeed, it would appear that the fortigate cannot discriminate which policy to use by neither peer IP address (as it reportedly keeps changing) nor by its own interface (as there's more than one IPSec policy bound to it).
Thus, the box always end up choosing the first policy that will match, ignoring the one that specifically address the iPhone traffic.
While from an architectural point of view I can understand why it fails, it doesn't explains to me why it flawlessly worked with the former firmware.
But as no amount of procastination on my part has ever solved any technical problem I got, I have two solutions that are implementable:
1) use agressive mode with an ID for all IPSec tunnels (mainly inter-site tunnels) and leave the main dial-in one for iPhone connectivity;
2) require all peers to have static IP addresses, which would allow me to discrimate by either HQ interface name or peer's IP address.
For now, 1) will be implemented as it's the most cost-effective way to get around the problem.
And guess what:
ReplyDeleteAll VPN Tunnels have been reconfigured in agressive mode, leaving the main mode to iPhone.
Lo and behold: it failed. Back to square 1.
Hi all,
ReplyDeleteI'm having trouble with my wifi 60c.
Cpu is always (almost) at 100%. And i dont have any special configuration, 40 users, 1 IPSEC, SSLVPN and UTM with anti virus, web filtering and app control.
I use to have a 110C and it worked like a charm, i'm really bored with wifi 60c.
Cheers
Has anyone actually managed to get a 60C running at 100Mbps in both directions?
ReplyDeleteOur experience to date has shown a limit of around 35Mbps upstream and 45Mbps downstream when pushing out via 100Mbps fibre.
This is despite a factory default configuration with only NAT configured - no IPS, no AV, nothing else.
Replaced the 60C with a 110C with exactly the same configuration and happily pushing around 98Mbps via FTP via the same link.
Case with fortinet currently, but given these things are supposed to be able to do firewall upto 1Gbps (despite the WAN ports being limited to 100Mbps) its a serious concern!
I have a FWF60C, and I'm experiencing some of these issues as well, like Netflix problems at times and really high CPU usage much of the time. Sometimes its failover, but often I can't locate a real reason.
ReplyDeleteHas anyone tried the latest firmware? Rumor has it things are fixed/changed in 4.0 MR3 Patch1.
Also, I'm looking to really use the Gig interfaces on my FWF. So I'm starting to get worried with the "doesn't do 100Mbps" comment. Does anyone know the top bandwidth of that internal switch that is GiGE?
ReplyDeleteC9300-24P-E AKJCSAS CJ SACKJ JAS C KCSA