Tuesday, October 26, 2010

Fortigate 60C Update 4.0 MR2 P2

After running the FortiWifi 60C with 4.0 MR2 Patch 2 for some time it appears there are still a number of bugs which need to be ironed out.
  • Netflix becomes unreachable at random intervals
  • Shoutcast streaming radio stations on a Sonos audio system become unreachable
Replacing the 60C with my trusty FortiWifi 50B resolved the problem.

So while there is now a 4.0 MR2 release for the 60C I would still hold off as it seems there are problems with the platform itself.

13 comments:

Werner said...

Hmm, we are using the 60C since the first day the MR2 P2 is out. It's configured with lots of IPsec tunnels, VLANs, SSL VPN and some UTM-features like AV, Webfilter and IDP. We hardly have any problems, everything seems fine. Interesting to read about your issues.

Ben said...

Were you on a PPPoE WAN connection by chance?

Sebastian said...

Negatory

Ben said...

I was speculating a UDP session issue related to interface resets, but I suppose not. However your description still implies some sort of UDP handling problem, at least that's my initial impression.

David said...

One of my customers installed MR2P2 on its FG110C. Probably that something broke in IPSec becuase since then, iPhone/iPads can no longer connect thru IPSec VPN on that box.

MR2P1 works fine on another equipment with the same IPSec config though.

A case is opened with Fortinet, I'll see how it will turn out.

If you're interested, I could keep you posted on the outcome.

Sebastian said...

Please do.

Alan said...

We have the same issue David is having with the VPN. We are also working with support, but nothing to report yet.

David said...

As it turned out, our customer has more than one "main mode" phase1 IPSec policy in a dial-in configuration and that I've been told is why this thing is now failing.

Indeed, it would appear that the fortigate cannot discriminate which policy to use by neither peer IP address (as it reportedly keeps changing) nor by its own interface (as there's more than one IPSec policy bound to it).

Thus, the box always end up choosing the first policy that will match, ignoring the one that specifically address the iPhone traffic.

While from an architectural point of view I can understand why it fails, it doesn't explains to me why it flawlessly worked with the former firmware.

But as no amount of procastination on my part has ever solved any technical problem I got, I have two solutions that are implementable:

1) use agressive mode with an ID for all IPSec tunnels (mainly inter-site tunnels) and leave the main dial-in one for iPhone connectivity;

2) require all peers to have static IP addresses, which would allow me to discrimate by either HQ interface name or peer's IP address.

For now, 1) will be implemented as it's the most cost-effective way to get around the problem.

David said...

And guess what:

All VPN Tunnels have been reconfigured in agressive mode, leaving the main mode to iPhone.

Lo and behold: it failed. Back to square 1.

November said...

Hi all,

I'm having trouble with my wifi 60c.
Cpu is always (almost) at 100%. And i dont have any special configuration, 40 users, 1 IPSEC, SSLVPN and UTM with anti virus, web filtering and app control.

I use to have a 110C and it worked like a charm, i'm really bored with wifi 60c.

Cheers

Justin Twiss said...

Has anyone actually managed to get a 60C running at 100Mbps in both directions?

Our experience to date has shown a limit of around 35Mbps upstream and 45Mbps downstream when pushing out via 100Mbps fibre.

This is despite a factory default configuration with only NAT configured - no IPS, no AV, nothing else.

Replaced the 60C with a 110C with exactly the same configuration and happily pushing around 98Mbps via FTP via the same link.

Case with fortinet currently, but given these things are supposed to be able to do firewall upto 1Gbps (despite the WAN ports being limited to 100Mbps) its a serious concern!

David H said...

I have a FWF60C, and I'm experiencing some of these issues as well, like Netflix problems at times and really high CPU usage much of the time. Sometimes its failover, but often I can't locate a real reason.

Has anyone tried the latest firmware? Rumor has it things are fixed/changed in 4.0 MR3 Patch1.

Also, I'm looking to really use the Gig interfaces on my FWF. So I'm starting to get worried with the "doesn't do 100Mbps" comment. Does anyone know the top bandwidth of that internal switch that is GiGE?

BUY ROUTERS AND SWITCHES said...


C9300-24P-E AKJCSAS CJ SACKJ JAS C KCSA