Yes, yes, I know, I am complaining about Fortinet again. Well, the previous post is months old, I just copied it from my previous site so I did not complain for some time now.
A bit of a background
I have a lab at home for testing, experimenting etc etc. At some point I will describe my lab environment but for the moment let’s stick to the subject.
The One With the 60E
I was running a Fortigate 60E in my lab with v 6.4.something. Same version as the 500Ds I was ranting about in a previous post. Version 7 came out with all the bells and whistles and since at work I was going to replace the aging 500Ds with 600Es, it seemed like a good idea to check out the features (and the bugs) of v7 at home, before deploying it at work. So, I backup my config and install v7 on the 60E.
The upgrade, run smoothly but within a few minutes the problems started. Internet access was not available, the CPU was spiking to 100%, loosing packets, then back to normal, then again no internet access.
Apparently, the 60E, if you have IPS, some Web filtering and some other features on, cannot handle the load of v7. Did anyone see/read any indication from Fortinet that the config should be minimal for the 60E to run v7? I didn’t, but no harm done, I was itching for an upgrade anyway. Back to v6.4.x and fortunately, as the 60E maintenance package was expiring, I found a good deal for a 60F with 3years FortiCare.
BTW if you are going to buy a 3 year FortiCare for an old device, check your dealer if you can get a newer device instead. In my case, it was cheaper to get the hardware and the FortiCare so I did.
The One With the 60F
So, the package arrives, 60E goes out of the rack, 60F goes in. BTW this kit is excellent! RM-FR-T10 – Rackmount.IT,
I install 6.4.x on it, upload my config, everything running smoothly and you can see the device is considerably faster.
Time to do what I bought the device for. Upgrade to v7. Upgraded from the GUI, the device reboots, I login after the reboot and then… nothing. No response to pings nothing. Plug in the console cable and something is not right
fork() failed
fork() failed
[lock_reg:145] fcntl(fd=6, cmd=6, lock={type=0,start=4,whence=0,len=1}) failed: 37(No locks available)
[lock_reg:145] fcntl(fd=6, cmd=6, lock={type=2,start=4,whence=0,len=1}) failed: 37(No locks available)
[lock_reg:145] fcntl(fd=6, cmd=6, lock={type=0,start=4,whence=0,len=1}) failed: 37(No locks available)
[lock_reg:145] fcntl(fd=6, cmd=6, lock={type=2,start=4,whence=0,len=1}) failed: 37(No locks available)
[lock_reg:145] fcntl(fd=6, cmd=6, lock={type=0,start=4,whence=0,len=1}) failed: 37(No locks available)
[lock_reg:145] fcntl(fd=6, cmd=6, lock={type=2,start=4,whence=0,len=1}) failed: 37(No locks available)
[lock_reg:145] fcntl(fd=6, cmd=6, lock={type=0,start=4,whence=0,len=1}) failed: 37(No locks available)
[lock_reg:145] fcntl(fd=6, cmd=6, lock={type=2,start=4,whence=0,len=1}) failed: 37(No locks available)
[lock_reg:145] fcntl(fd=6, cmd=6, lock={type=0,start=4,whence=0,len=1}) failed: 37(No locks available)
[lock_reg:145] fcntl(fd=6, cmd=6, lock={type=2,start=4,whence=0,len=1}) failed: 37(No locks available)
[lock_reg:145] fcntl(fd=6, cmd=6, lock={type=0,start=4,whence=0,len=1}) failed: 37(No locks available)
[lock_reg:145] fcntl(fd=6, cmd=6, lock={type=2,start=4,whence=0,len=1}) failed: 37(No locks available)
Reset button has been disabled, please press the button during the first 60 seconds after a power-cycle.
fork() failed
fork() failed
fork() failed
fork() failed
fork() failed
fork() failed
dnsproxy couldn't fork worker 0
fork() failed
fork() failed
fork() failed
fork() failed
fork() failedAnyway, the kid wanted to watch youtube so back to the trusted 6.4 and I open a ticket with Fortinet. The date was 29.09.2021.
For a week, a Fortinet support engineer, nice guy, can’t complain about him, was requesting some data that eventually he sent to the dev team.
A week later the ticketing system tried to close my request but not so fast….
Mid November I ping the engineer again, who, end of November, requested some diagnostic data which I provided.
New year has come and eventually, mid February, I get a response asking me to try to go to v7.0.5. Same issue. In the meantime, the aforementioned 600Es arrived at work, but I am reluctant even to open the boxes.
Anyway, the support engineer requested to format the device, do a clean install via TFTP and after uploading my config, to try to upgrade. As the result was the same, he requested to try again after changing the following settings.
config system global
set miglogd-children 1
set sslvpn-max-worker-count 1
set wad-worker-count 1
set scanunit-count 2
end
config ips global
set engine-count 1
endI am sure you guessed the result.
Finally, last week, he requested to format the device, TFTP version 6.4.8 on, DO NOT upload the config, upgrade via TFTP and see if it is stable. Then, format again and downgrade to 6.4.8.
Over the weekend, I tried that successfully and although it goes against Fortinet’s recommendations, I uploaded the 6.4.8 config to 7.0.5. And it works! It is slower, especially on the DNS queries, but I can do the tests that I need. guess I will be opening the 600Es soon 🙂
Conclusion
So, if your upgrade is failing like mine do the following.
- Backup your config
- Reboot the device
- Format the device
- TFTP 6.4.8 on
- Upgrade to 7.0.5
- Upload your config
- Keep your fingers crossed! I will be keeping them crossed for you.
The rant
From this ordeal, I got the feeling that Fortinet is treating small customers with small FortiCare support contracts like guinea pigs.
Just because the 60 series is for home/SMB use, does not mean that the customers are available to do testing and run diagnostics for them. We are still in a pandemic. A lot of customers are working from home and cannot afford hours without internet.
My suggestions for Fortinet would be
- Test better. Hire some beta testers. Small customers are also paying customers. Not beta testers.
- When you have a new, “heavier” version of an OS, test on the smaller, older devices and before you say it is ok to upgrade, mention in HUGE CAPS LOCK letters that the performance will be degraded if the following features are enabled and list them.
- What good will it do to a 60E to run v7 if the filters cannot be enabled?
Also, can we have a load balancer/ reverse proxy with v7.0.6 please? I can wait for 7.1 🙂