Technical Tip: FortiCare is unreachable

Make sure that the unit has a default route configured and has available tokens:

1. The FortiGate gets to the Internet DNS by IPPick an IP address of a publicly available DNS Server and ping it from the CLI of the FortiGate:

exec ping 8.8.8.8

Output sample:

execute ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=50 time=17.3 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=50 time=17.3 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=50 time=17.3 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=50 time=17.4 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=50 time=17.4 ms
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 17.3/17.3/17.4 ms

2. The FortiGate can resolve FQDNs:

exec ping directregistration.fortinet.com
PING directregistration.fortinet.com (63.137.229.3): 56 data bytes
64 bytes from 63.137.229.3: icmp_seq=0 ttl=45 time=162.4 ms
64 bytes from 63.137.229.3: icmp_seq=1 ttl=45 time=162.2 ms
^C
--- directregistration.fortinet.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 162.1/162.2/162.4 ms

execute ping fortitokenmobile.fortinet.com
PING fortitokenmobile.fortinet.com (208.91.113.27): 56 data bytes
64 bytes from 208.91.113.27: icmp_seq=0 ttl=45 time=164.3 ms
64 bytes from 208.91.113.27: icmp_seq=1 ttl=45 time=163.6 ms
^C
--- fortitokenmobile.fortinet.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 163.6/163.9/164.3 ms

If this test fails: the problem is DNS related.  Try using a different DNS server until this test can resolve.

If using SD-WAN then change the setting to select the outgoing interface based on SD-WAN.

   config system fortiguard

      set interface-select-method sdwan

   end

If step 2 fails, contact Fortinet Technical Support and post collecting the below output with the exact serial number/s of FortiToken that experiencing the issue.

Run this CLI command in FortiGate CLI or Console in GUI:

diagnose debug reset

diagnose debug application forticldd -1
diagnose fortitoken debug enable

diagnose fortitoken info
diagnose debug enable

Note:

If the FortiGate has been configured in Multi-VDOM mode, the management VDOM must have a default route to the Internet and the commands have to be run from the management VDOM context.

For example, in FortiGate-6000F, 7000E, and 7000F series the management VDOM is called 'mgmt-vdom':

FGT-7000 [FIM01] # config vdom

FGT-7000 [FIM01] (vdom) # edit mgmt-vdom

FGT-7000 [FIM01] (mgmt-vdom) # show router static

config router static
    edit 1
        set gateway 10.x.x.x
        set device <MGMT-INTERFACE-NAME>
    next
end

FGT-7000 [FIM01] (mgmt-vdom) # execute ping 8.8.8.8
FGT-7000 [FIM01] (mgmt-vdom) # execute ping directregistration.fortinet.com

FGT-7000 [FIM01] (mgmt-vdom) # execute ping fortitokenmobile.fortinet.com

If the FortiGuard token is being activated from a non-root VDOM, it is essential to configure the root/management VDOM under the 'config system fortiguard' settings. Additionally, the management/root VDOM must have access to the FortiGuard server. Below is the configuration example:

config system fortiguard
    set vdom "root"
    set interface-select-method specify
    set interface "port1"  <----- This interface must connect to the internet and belong to the root VDOM.
end

Related articles:

Troubleshooting Tip: FortiCare unreachable

Technical Note: How to change management VDOM from GUI and CLI