Contributor

Technical Tip: FortiGuard Services are unreachable

Description

This article describes the issue when FortiGate was able to communicate with the FortiGuard Servers on Port 53/Port 8888 and lost connectivity.

Scope

FortiGate v7.0 and above.

Solution

This issue may be caused by downstream blocking. There are two potential causes:

DNS Compliance Checking:
FortiGate's default traffic port is port 53. While the traffic is DNS-like, it is not DNS and does not look like DNS. If DNS compliance checking is enabled on a device downstream from the FortiGate, it may block this traffic.
Source Port Blocking:
The service may restart and use a random source port within the range of 1024-25000. Some ISPs block traffic in the source port range of 1025-1030. If the service chooses a port in this blocked range, connectivity issues may occur.

Solution:

Switch the service back to port 53. If it fails, DNS compliance checking is likely the cause. Switch back to port 8888.
If it does not fail, the issue was likely due to source port blocking. To prevent recurrence, alter the source port range for management traffic:

config sys global
set ip-src-port-range 1035-25000
end

Sign up