New Contributor III

Technical Tip: FortiGuard is not reachable via Anycast default method

Forum|Forum|5 years ago
November 13, 2020
0 replies
111112 views

Description

This article describes how to troubleshoot FortiGuard connectivity when the Anycast default method does not work.

Scope

FortiGate v6.4.3 and above.

Solution

By default, v6.4.3 and above uses the Anycast method to address the FortiGuard servers. Relying on Fortinet DNS servers, the FortiGate will get a single IP address for the domain name of each FortiGuard service.

In some circumstances, Anycast does not work:

This can be verified with the debug command in global VDOM 'diagnose debug rating':

diagnose debug rating

Locale : english

Service : Web-filter

Status : Enable

License : Contract

Service : Antispam

Status : Disable

Service : Virus Outbreak Prevention

Status : Disable

Num. of servers : 1

Protocol : https

Port : 443

Anycast : Enable

Default servers : Included

-=- Server List (Tue Nov 3 17:47:32 2020) -=-

IP Weight RTT Flags TZ Packets Curr Lost Total Lost Updated Time

173.243.140.16 0 0 DIF 0 14 11 11

The Flag 'DIF' is observed here, which stands for Failed i.e. Server is down or has failed to respond to the rating query.

If a high value of the current loss is noticed, run 'execute traceroute X.X.X.X' to see if the FortiGuard server can be reached (X.X.X.X is the failing IP of 'diagnose debug rating' as in the example above 173.243.140.16). However, this ICMP test can also fail just because the ICMP traffic is blocked between FortiGate and FortiGuard.

Another method to see if FortiGate can reach FortiGuard is to manually run an update and examine the debug output.

Run from the management VDOM.

diagnose debug disable

diagnose debug reset

diagnose console timestamp enable

diagnose debug app update -1

diagnose debug enable

execute update-now

Disable debug after around 5 to 10 minutes:

diagnose debug disable

diagnose debug reset

If the Server cannot be reached, choose between the following options to solve this issue:

Switch to other Anycast servers:

config system fortiguard
set fortiguard-anycast-source aws
end

Disable Anycast and use HTTPS with port 8888.

config system fortiguard
set fortiguard-anycast disable
set protocol https
set port 8888
set sdns-server-ip 208.91.112.220 173.243.140.53 210.7.96.53
end

Disable Anycast and use UDP with Port 53.

config system fortiguard
set fortiguard-anycast disable
set protocol udp
set port 53

set sdns-server-ip 208.91.112.220 173.243.140.53 210.7.96.53
end

Disable Anycast and use UDP with Port 8888.

config system fortiguard
set fortiguard-anycast disable
set protocol udp
set port 8888

set sdns-server-ip 208.91.112.220 173.243.140.53 210.7.96.53

end

After:

set fortiguard-anycast disable

This can be verified with the debug command 'diagnose debug rating', presenting multiple servers available:

After anyvast disable .png

Notes:

This article mainly pertains to the newer Anycast method for FortiGuard communications. For legacy deployments, Anycast is not available. To troubleshoot without Anycast, refer to this article: Troubleshooting Tip: Resolving FDS Communication Issues (FortiGuard Distribution Servers).
The status of FortiGuard Anycast servers can be confirmed on the FortiGuard status page.

Related articles:

Troubleshooting Tip: Unable to connect to FortiGuard servers

Technical Tip: FortiGuard Overview and Troubleshooting

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded