upgrade cfn stack from 1.3.4 to 1.3.5 fails

[danieldome]

Upgrade cloudformation stack from Release 1.3.4 to 1.3.5 fails with this error:

• Requested update requires the creation of a new physical resource; hence creating one.

• Interface: [eni-0d8e33be47b7c09f8, eni-0fbca93efff6f9b59, eni-0967d23928c013fe2, eni-082daabcfd8230cd5] in use. (Service: AmazonEC2; Status Code: 400; Error Code: InvalidNetworkInterface.InUse; Request ID: f6852944-9fc9-48ef-988d-59ef95f8d069)

Basically, cloudformation changeset wants to create new EC2 instances and fails as eni's are in use by previous (active) instances.

[danieldome]

Update:

To workaround this issue I had to:

• backup FortiGate config
• manually delete both ec2 instances
• upgrade cloudformation stack with new release 1.3.5
• re-apply backup

Anyway, now issue https://github.com/fortinet/aws-cloudformation-templates/issues/3 was re introduced on release 1.3.5, slave instance can't boot and workaround described on that issue is not working.

[hgaberra]

Hello Daniel, thanks for the note.

What was the purpose of using stack update?

If you were looking to update the firmware (FortiOS code version) on the previously deployed instances, you would start with upgrading the master FGT to the correct version of code. Then the master upgrades the firmware of both itself and the slave FGT. Reference the KB article below for how to upgrade the firmware on the master. Stack updates are not recommended methods to update FortiOS firmware.

https://kb.fortinet.com/kb/documentLink.do?externalID=10948

[hgaberra]

I forgot to add this in the previous post.

If you are seeing an issue with a slave FGT shutting down automatically there are other known issue s(Mantis 611541) that can cause this and are not the same as (github issue #3).

It is recommended that you reach out to our support team for assistance on identifying and resolving the issue (Mantis 611541, 590555, or something else) you are now facing.

https://www.fortinet.com/support/contact.html

[danieldome]

Before going to production I tested upgrading the stack. I like applying upgrades to the cloudformation stack not only to upgrade the product itself but to apply fixes or features related with current or new aws resources.

Thanks for the link with FortiGate's best practices.