Technical Tip: Unable to access FortiGate via HTTPs 443 port after upgrade to v5.2.x
Description
This article provides troubleshooting steps in the case where a FortiGate cannot be accessed via HTTPS 443 port after an upgrade to v5.2.x
Scope
Upgrade to FortiGate v5.2.x
Solution
To check why the unit cannot be accessed on HTTPS port 443, use debugging on the HTTPS daemon:
diagnose debug application httpsd -1
diagnose debug enable
# [httpsd 1551 - 1464100331] http_log.c[439] log_error_core -- [Tue May 24 14:32:11 2016] [error] SSL_accept failed
[httpsd 1551 - 1464100331] http_log.c[439] log_error_core -- [Tue May 24 14:32:11 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1550 - 1464100331] http_log.c[439] log_error_core -- [Tue May 24 14:32:11 2016] [error] SSL_accept failed
[httpsd 1550 - 1464100331] http_log.c[439] log_error_core -- [Tue May 24 14:32:11 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1551 - 1464100332] http_log.c[439] log_error_core -- [Tue May 24 14:32:12 2016] [error] SSL_accept failed
[httpsd 1551 - 1464100332] http_log.c[439] log_error_core -- [Tue May 24 14:32:12 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1550 - 1464100333] http_log.c[439] log_error_core -- [Tue May 24 14:32:13 2016] [error] SSL_accept failed
[httpsd 1550 - 1464100333] http_log.c[439] log_error_core -- [Tue May 24 14:32:13 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1551 - 1464100334] http_log.c[439] log_error_core -- [Tue May 24 14:32:14 2016] [error] SSL_accept failed
[httpsd 1551 - 1464100334] http_log.c[439] log_error_core -- [Tue May 24 14:32:14 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1550 - 1464100334] http_log.c[439] log_error_core -- [Tue May 24 14:32:14 2016] [error] SSL_accept failed
[httpsd 1550 - 1464100334] http_log.c[439] log_error_core -- [Tue May 24 14:32:14 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1551 - 1464100335] http_log.c[439] log_error_core -- [Tue May 24 14:32:15 2016] [error] SSL_accept failed
[httpsd 1551 - 1464100335] http_log.c[439] log_error_core -- [Tue May 24 14:32:15 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
diagnose debug enable
# [httpsd 1551 - 1464100331] http_log.c[439] log_error_core -- [Tue May 24 14:32:11 2016] [error] SSL_accept failed
[httpsd 1551 - 1464100331] http_log.c[439] log_error_core -- [Tue May 24 14:32:11 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1550 - 1464100331] http_log.c[439] log_error_core -- [Tue May 24 14:32:11 2016] [error] SSL_accept failed
[httpsd 1550 - 1464100331] http_log.c[439] log_error_core -- [Tue May 24 14:32:11 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1551 - 1464100332] http_log.c[439] log_error_core -- [Tue May 24 14:32:12 2016] [error] SSL_accept failed
[httpsd 1551 - 1464100332] http_log.c[439] log_error_core -- [Tue May 24 14:32:12 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1550 - 1464100333] http_log.c[439] log_error_core -- [Tue May 24 14:32:13 2016] [error] SSL_accept failed
[httpsd 1550 - 1464100333] http_log.c[439] log_error_core -- [Tue May 24 14:32:13 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1551 - 1464100334] http_log.c[439] log_error_core -- [Tue May 24 14:32:14 2016] [error] SSL_accept failed
[httpsd 1551 - 1464100334] http_log.c[439] log_error_core -- [Tue May 24 14:32:14 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1550 - 1464100334] http_log.c[439] log_error_core -- [Tue May 24 14:32:14 2016] [error] SSL_accept failed
[httpsd 1550 - 1464100334] http_log.c[439] log_error_core -- [Tue May 24 14:32:14 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1551 - 1464100335] http_log.c[439] log_error_core -- [Tue May 24 14:32:15 2016] [error] SSL_accept failed
[httpsd 1551 - 1464100335] http_log.c[439] log_error_core -- [Tue May 24 14:32:15 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
To disable the debug.
If the output is similar to the example above, then tlsv1-0 should be enabled. A new global system parameter was added in v5.2.3. This parameter, with the default setting, restricts access to TLS V 1.1 and TLS V 1.2 only.
New default setting with FortiOS release v5.2.3:
diagnose debug disable
diagnose debug reset
If the output is similar to the example above, then tlsv1-0 should be enabled. A new global system parameter was added in v5.2.3. This parameter, with the default setting, restricts access to TLS V 1.1 and TLS V 1.2 only.
New default setting with FortiOS release v5.2.3:
FGT-1 #
config system global
FGT-1
(global) # get
admin-concurrent : enable
admin-console-timeout: 0
admin-https-pki-required: disable
admin-https-redirect: disable
admin-https-ssl-versions: tlsv1-1 tlsv1-2 <---{ New default setting
admin-lockout-duration: 60
admin-lockout-threshold: 3
config system global
FGT-1
(global) # get
admin-concurrent : enable
admin-console-timeout: 0
admin-https-pki-required: disable
admin-https-redirect: disable
admin-https-ssl-versions: tlsv1-1 tlsv1-2 <---{ New default setting
admin-lockout-duration: 60
admin-lockout-threshold: 3
The available options for HTTPS SSL versions are TLS 1.0, TLS 1.1, TLS 1.2, and SSLV3.
The following command can be used to add tlsv1-0:
The following command can be used to add tlsv1-0:
FGT-1 # config system global
FGT-1(global) # append admin-https-ssl-versions tlsv1-0
FGT-1(global) # append admin-https-ssl-versions tlsv1-0