| The management connectivity status is down on the FortiCloud Network Overview page.  Similarly, the FortiGate Central management shows the status as down (not Managed). 
These useful commands can be used to check the related error message. diagnose debug disable
diagnose debug reset diagnose debug application forticldd -1 diagnose debug console timestamp enable diagnose debug enable
diagnose fdsm log-controller-update
After, replicate the issue to generate logs, and disable debugging afterwards:
diagnose debug disable
diagnose debug reset
The error message below is regarding the TLS version causing the SSL connection problem. [40] fds_queue_task: req-101 is added to message-controller
[568] fds_https_start_server: server: 208.91.113.184:443
[569] fds_https_start_server: source-ip: 0.0.0.0:0
[112] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[722] ssl_ctx_create_new_ex: SSL CTX is created
[749] ssl_new: SSL object is created
[80] https_create: proxy server 0.0.0.0 port:0
[968] ssl_connect: SSL_connect failes: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
[475] fds_https_connect: https_connect(208.91.113.184:443) failed: ssl_connect() failed: 6 (error:00000000:lib(0):func(0):reason(0)).
[202] __ssl_data_ctx_free: Done
[1013] ssl_free: Done
[194] __ssl_cert_ctx_free: Done
[1023] ssl_ctx_free: Done
[1004] ssl_disconnect: Shutdown
[217] fds_svr_default_on_error: message-controller: ip=208.91.113.184:443, reason=4
[234] fds_svr_default_on_error: message-controller: Conn failes 1/1
[254] fds_svr_default_on_error: message-controller: req-id=101, num_try=1, read=0, reason=4
[93] fds_mctrl_update_done: update task was not successful. Verify the TLS version configured on FortiGate: config system global (global) # show full-configuration | grep ssl-min <-----
set ssl-min-proto-version TLSv1-3 (global) # end The TLS version can be modified on the global setting below config system global
(global) # set ssl-min-proto-version TLSv1-2 <----- Modified from TLSv1-3 to TLSv1-2.
(global) # end The SSL connection is established after modifying the TLS version. 568] fds_https_start_server: server: 208.91.113.103:443
[569] fds_https_start_server: source-ip: 0.0.0.0:0
[112] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[722] ssl_ctx_create_new_ex: SSL CTX is created
[749] ssl_new: SSL object is created
[80] https_create: proxy server 0.0.0.0 port:0
[481] fds_https_connect: https_connect(208.91.113.103:443) is established.
[267] fds_svr_default_on_established: log-controller has connected to ip=208.91.113.103:443
[274] fds_svr_default_on_established: server-log-controller handles cmd-111
Note:
According to FortiGate Cloud Ver: 23.4.0; starting from FortiOS v7.0.14, v7.2.8, and v7.4.2, remote access with full permission (read and write) will require a registered FortiGate Cloud Service subscription on the FortiGate.
Therefore, for free versions of FortiGate Cloud and for devices running FortiOS below v7.0.14, v7.2.8, v7.4.2, remote access has read-only rights.
Related article: | 
