Troubleshooting Tip: FortiClient EMS not reachable from FortiGate secondary HA cluster unit

While checking the connectivity in the following ways, the output may appear as follows.

Primary:

silicon-esx36 # diagnose endpoint fctems test-connectivity 1
Connection test was successful.

silicon-esx36 # execute fctems verify 1
EMS already verified.

Secondary:

uranium-esx10 # diagnose endpoint fctems test-connectivity 1
Connection test had an error -1: EMS server was not reached (timeout)

uranium-esx10 # execute fctems verify 1
Error in requesting EMS fabric connection: -1
issue in getting capabilities. EMS server was not reached (timeout)
Error (-1@_get_capabilities:513).

Command fail. Return code -9999

In an Active-Passive high availability setup using FortiGate, the cluster behaves as a single logical device rather than two independent firewalls. This design directly affects how it interacts with external systems like FortiClient EMS.

When the cluster is operating normally, only the Active unit is responsible for handling traffic and initiating outbound connections. This includes communication with FortiClient EMS. As a result, the Active FortiGate establishes and maintains the connection, and it is the only one that appears as 'connected' within FortiClient EMS. The Passive unit, on the other hand, remains in standby mode. Although it continuously synchronizes configuration and is fully prepared to take over at any moment, it does not independently communicate with FortiClient EMS or any external system while it is in this passive role.

Related articles:

• Technical Tip: HA Cluster out-of-sync and unable to add EMS Fabric Connector after upgrade from FortiOS 6.4.9+ to 7.0.8
• Troubleshooting Tip: Troubleshooting FortiGate with FortiClient EMS