Thursday, September 22, 2011

FortiOS 4.0 MR3 Patch 2 - Problems on FortiWifi

This was released earlier in the week. I installed it on my FortiWifi 60C and it caused my firewall to no longer respond to ARP requests, thus making it invisible to my network. Rolling back to 4.0 MR2 Patch 8 fixed the problem. I then re-installed MR3 Patch 2 via tftp as a clean install and had the same problem as before with no ARP responses.

Let me know what you find on other platforms.

14 comments:

Paulo Raponi said...

I need upgrade a Fortigate 1000AFA2 from MR2 patch7 to MR3 to solve a lot of issue that TAC said me.

Let me see what will happen...

I'm afraid :)

meemoa said...

Im seeing issues with an FWF60C and IPSec tunnels following an upgrade from MR3 P1 to P2. Basically the IPSec tunnels will not establish anymore... am waiting on a response from TAC.

I believe I also replicated your issue with an FWF50B, however power cycling the upstream router resolved my arp issue.

With regards to actually applying the update on an FWF60C, I tried this twice - both of which failed and caused the FGT to hang. Hard power cycling recovered the unit but showed MR3 P1 still installed. I had to disconnect the FGT from the whole network to perform a successful upgrade!

Upgrades to FG100A's and FG60B's were flawless.

David said...

Deployed 4.3.2 to my (Evil) FWF-60C and it actually resolved an issue that I was having where the WIFI would freeze, refusing to allow new clients to connect.

Yet to see any issues with either IPSec or ARP.

Anonymous said...

Just upgraded a FWF-80CM, seeing no obvious problems so far.

Anonymous said...

Hi

I have a MR3P1 FG60X Cluster with performance issues. After say 1-3 weeks the "miglogd" running at 99.9% and performance is bad, ping loss, SNMP loss, GUI/CLI loss.
All logging is disabled.

Do u think that i should go UP to MR3P2 or DOWN to MR2P9 ???

/Johan

Sebastian said...

I would recommend that unless you have a real need for any of the features in MR3 your best bet would be to go back to the latest version of MR2. Fortinet has had more time to stabilize this code.
We're running MR2 P8 globally on more than 80 firewalls and haven't seen any major issues.

buegeleisen said...

tried mr3 p1 and p2 with an 50b and 60b, with both of them the ipsec-tunnels were just going up and down like crazy (at least to other fortigates with mr2 p8, didn't bother testing it on both sides with 3p2).

funny thing is, during p1 their support confirmed the problem. but still doesn't look like they're interested to mention it in the release notes as "known" problem.

another funny detail regarding the release notes, mr2p8 and earlier mentioned in the fortissl-client compatibility list ubuntu "10.0.4", with mr3 they went back to "8.0.4".

Anonymous said...

Upgraded a FG60C, FG200B, and FG300A to MR3 P2. No issues to report, yet. Also, not sure if the firmware or the rebooting fixed an issue where YouTube videos would stop midway through because the proxyworker was crashing.

VirTech Systems said...

I just flashed MR3P2 to a FWF30B in the office and it was working OK for a short time.

I set up a few WiFi SSIDs and some basic UTM filtering.

After letting it sit, it seems to have become a paper weight. It's nonfunctional and I can't even log into it anymore. Resetting it makes it functional for a short time then it dies again.

I'm going to try a factory reset on it, but I've only seen these issues when trying anything above MR2P#.

I was hoping to utilize the multiple SSIDs.

David said...

Is it just me or is it a common thread for Fortnet these days to send half-cooked firmwares in the wild and then expecting us integrators or customers to beta test for them?

I've a customer that has 3(!) tickets opened on a single box, MR3P0 has been a disaster for them and I'm not keen to upgrade their pair of FTG80C to MR3P1 because I'm wary of something else that could break.

I've worked for 22 years and I've never seen this magnitude of try/fail before... Ok maybe Microsoft SP4 on NT4 was of that magnitude as far as Lotus Notes was concerned... But you get my drift right?

Heck I had to disable UTM(!) on one of their boxes, reducing a 1.5K$ box to the status of a 50$ linksys router because it couldn't cope with simple application filter rules... What am I supposed to tell my customer? That their boxes are currently doing a job a PIX501 could do?

*sighs*

I won't ask if you have entries in the company but as a FCSNP I find it quite frustrating that their QA on firmwares is that flimsy.

meemoa said...

Ref, my IPSec issue. TAC confirmed a problem with my FWF60C side relating to IKEv2 and Certificate auth. Work around is to use IKEv1 + Cert or IKEv2 + PSK. Other than this, Im not having any other issues with FWF60C + MR3 Patch 2.

bmann said...

yeah, it is normal by Fortinet to release beta versions in to the wild.
Fortinet is "leader" in UTM only with number of functions. But functional about half of them.

I have simple rules:
- think about new release not before patch6
- use only basic functionality, do not use complicated configs
- fortinet is cheaper, but if you need better stability use another vendor

mwilson said...

we have 600 f-gates. the wifi 80cm loses the antenna after upgrade to 4.3 - database error.

Anyone else seeing this behavior?

Anonymous said...

there is also issues with raid