Skip to main content
tpatel
Staff
tpatel
Staff
June 15, 2025

Technical Tip: Unable to Connect FortiClient EMS Cloud from FortiGate

  • June 15, 2025
  • 0 replies
  • 2616 views
Description This article describes how to fix the issue when FortiGate cannot connect to the FortiClient EMS Cloud and displays an internal processing error and a certificate error.
Scope FortiGate.
Solution

FortiGate is unable to connect to the FortiClient EMS cloud and displays the following error.


Go to Security Fabric -> Fabric Connector -> FortiClient EMS:

Capture.PNG

 

Below is the error shown in the CLI:

 

FGT # execute fctems verify 1
Error in requesting EMS fabric connection: -9901
issue in getting capabilities.
Error (-1@_perform_rest_api:253).(_get_capabilities,457)

 

Run the fcnacd debug:

 

FGT # diagnose debug application fcnacd -1.

FGT # diagnose debug enable

Check for the following error:

[__ctx_sub_ez_worker_err_cleanup_cb:599] Call not submitted.
obj-id: 5, desc: REST API to get EMS public address and port., entry: api/v1/settings/server/public_address.
error info: Error (-1@ec_ez_worker_base_prep_resolver:329). Could not resolve the server forticlient-emsproxy.forticloud.com (ec_ez_worker_prep,2
16) (ec_ems_context_submit_work,638)Internal error: failed to prepare worker
[__worker_handle_certinfo:262] Could not get certificate info.
[ec_ez_worker_process:458] Call completed with failure.

This error indicates that FortiGate is not able to resolve forticlient-emsproxy.forticloud.com.

Go to Network -> DNS on FortiGate and make sure that the DNS server is reachable. 


Refer to the article below to troubleshoot DNS unreachable issues.
Technical Tip: DNS server is unreachable when using custom DNS


Once the DNS server is reachable, FortiGate can resolve forticlient-emsproxy.forticloud.com FQDN.


FGT # execute ping forticlient-emsproxy.forticloud.com
PING ac06a1ca5c53e4c2ab080da8b6b12d00-0ee2231ad8afa4b3.elb.ap-southe (52.74.249.14): 56 data bytes


Once the FortiGate can resolve the FQDN, fcnacd debug will show that the call was submitted successfully, and the FortiGate can connect to the FortiClient EMS Cloud.

 

[ec_ez_worker_process:400] Processing call for obj-id: 5, entry: "api/v1/settings/server/public_address"
[_update_obj_stats:365] Storing (5, GWCC 1000f, 0)
[ec_ez_worker_process:508] Call completed successfully.

 

Related article:
Troubleshooting Tip: Avoid 'EMS server was not reached' errors by correctly authorizing FortiGate to FortiClient EMS Cloud
 
    Terms & ConditionsAccessibility statement