Troubleshooting Tip: FortiZTP provisioning errors due to wrong region - 'Incomplete - Waiting for connection'

This article describes provisioning issues via FortiZTP where provisioning fails and the process is stuck in the state 'Incomplete - Waiting for connection' on the FortiZTP page.

When following the troubleshooting steps as described in Provisioning FortiGate to FortiManager self-diagnosis, pinging and telnet works, but the forticldd output shows the sever as unknown and the debug throws the error message 'FGT internal error(-1)'.

Here is an example of such an output:

diagnose test application forticldd 3

Debug zone info:

    FAZCLOUD:

    Domain:

    Home log server: 0.0.0.0:0

    Alt log server: 0.0.0.0:0

    Active Server IP:      0.0.0.0

    Active Server status:  unknown

    Log quota:      0MB

    Log used:       0MB

    Daily volume:   0MB

    fams archive pause: 0

    APTContract : 0

    APT server: 0.0.0.0:0

    APT Altserver: 0.0.0.0:0

    Active APTServer IP:      0.0.0.0

    Active APTServer status:  unknown

diagnose debug disable

diagnose debug reset

diagnose debug application forticldd -1

diagnose debug enable

execute fortiguard-log join

[755] __tcps_ssl_connect: SSL connected.
[870] tcps_connect: 154.52.10.102:443 -- ret 0, state 0x12(SSL-Connecting) -> 0x5(Established)
[507] fds_https_connect: https_connect(154.52.10.102:443) is established.
[300] fds_svr_default_on_established: log-controller has connected to ip=154.52.10.102:443
[307] fds_svr_default_on_established: server-log-controller handles cmd-112
[126] fds_pack_objects: number of objects: 1
[96] fds_print_msg: FCPC: len=146
[103] fds_print_msg: Protocol=2.0
[103] fds_print_msg: Command=Account
[103] fds_print_msg: Firmware=FGT40F-FW-7.04-2702
[103] fds_print_msg: SerialNumber=FGT40FTK2xxxxxxx
[103] fds_print_msg: TimeZone=-7
[103] fds_print_msg: TimeZoneInMin=-420
[103] fds_print_msg: DataItem=Action:Join
[96] fds_print_msg: http req: len=259
[103] fds_print_msg: POST https://154.52.10.102:443/FCPService/Controller HTTP/1.1
[103] fds_print_msg: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
[103] fds_print_msg: Host: 154.52.10.102:443
[103] fds_print_msg: Cache-Control: no-cache
[103] fds_print_msg: Connection: close
[103] fds_print_msg: Content-Type: application/octet-stream
[103] fds_print_msg: Content-Length: 338
[511] fds_https_connect: http request to 154.52.10.102:443: header=259, ext=338.
[245] fds_https_send: sent 259 bytes: pos=0, len=259
[252] fds_https_send: 154.52.10.102:443: sent 259 byte header, now send 338-byte body
[245] fds_https_send: sent 338 bytes: pos=0, len=338
[260] fds_https_send: sent the entire request to server: 154.52.10.102:443
Failed: FGT internal error(-1)
Command fail. Return code 5

To stop the debugging, run the following:

diagnose debug disable

diagnose debug reset

The issue is down to the FortiGate Cloud page where the FortiGate is provisioned via FortiZTP. The FortiGate is deployed in the wrong region. If this issue is encountered, change the region from Global to the appropriate region (or vice versa) on the FortiGate Cloud page, and redeploy.