Technical Tip: The FortiClient EMS server connection fails because the server is not compatible
| Description | This article describes how to fix the issue when the FortiClient EMS server connection fails because the server is not compatible. |
| Scope | FortiOS v7.4.9. |
| Solution | Check that the FortiClient EMS and FortiOS are compatible via the following link: FortiClient Windows, macOS, Linux Compatibility with FortiClient EMS.
Below is the error shown in the CLI:
diagnose test application fcnacd 2
execute fctems verify 1
Run the fcnacd debug:
diagnose debug application fcnacd -1. diagnose debug enable ....................... 2025-11-25 13:00:13 [ec_ez_worker_process:400] Processing call for obj-id: 0, entry: "api/v1/system/serial_number"
The reason for this issue is related to the 'preserve-ssl-session' option in the EMS configuration. This option determines whether fcnacd reuses an SSL session for communication with EMS. Currently, reusing the SSL session cache causes fcnacd to send a PSK instead of a certificate chain for verification, while EMS does not support PSK for most of its APIs. Therefore, a connection issue occurs when a client enables "preserve-ssl-session".
To solve the issue, first attempt:
config endpoint-control fctems edit <id> set preserve-ssl-session disable end end
If the problem persists, remove the Fabric EMS connector and reconfigure a new entry that includes the above command. To test the connectivity, run the command below:
diagnose endpoint fctems test-connectivity 1 |