| Solution | Symptoms: After attempting to refresh a device that went offline, FortiManager displays the following message: 'Failed to update device information'. 
Analysis: On the FortiGate, run the following troubleshooting command: Branch1 (root) # diagnose debug application fgfmd -1 Branch1 (root) # diagnose debug enable
As a result, the FortiGate tells in the debug output that it is not possible to validate the certificate 'Certificate is not yet valid': Branch1 (root) # FGFMs: Create session 0xa1807b0. FGFMs: setting session 0xa1807b0 exclusive=0 FGFMs: Connect to 192.168.1.223:541, local 192.168.1.99:3181. FGFMs: set_fgfm_sni SNI<support.fortinet-ca2.fortinet.com> FGFMs: Load Cipher [DHE-RSA-AES256-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:@STRENGTH] FGFMs: Load TLS 1.3 Cipher [TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256] FGFMs: before SSL initialization FGFMs: CA to broadcast: subject fortinet-subca2003, issuer fortinet-ca2 FGFMs: CA to broadcast: subject support, issuer support FGFMs: CA to broadcast: subject fortinet-ca2, issuer fortinet-ca2 FGFMs: CA to broadcast: subject fortinet-subca2001, issuer fortinet-ca2 FGFMs: Broadcast 4 CA subject names to FMG FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS read server hello FGFMs: SSLv3/TLS write change cipher spec FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS read server hello FGFMs: TLSv1.3 read encrypted extensions FGFMs: SSLv3/TLS read server certificate request FGFMs: Got 3 CA subject names from FMG broadcast FGFMs: Remote CA subject is /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com. FGFMs: issuer matching...try next if not match... local_issuer(support), remote_CA_subject(support) FGFMs: CA issuer matched, local=remote=support, will use local certificate id 0 FGFMs: __clt_verify_callback: failed to verify cert 1 (subject support, issuer support), error (certificate is not yet valid) FGFMs: SSL Alert write: fatal bad certificate FGFMs: error FGFMs: [__get_error:1043] error=1, errno=0,Success. FGFMs: Cleanup session 0xa1807b0, 192.168.1.223. FGFMs: Destroy session 0xa1807b0, 192.168.1.223. FGFMs: Incoming ::ffff:192.168.1.223 local ::ffff:192.168.1.99. FGFMs: Create session 0xa1807b0. FGFMs: checking existing sessions... FGFMs: set_fgfm_sni SNI<support.fortinet-ca2.fortinet.com> FGFMs: Load Cipher [DHE-RSA-AES256-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:@STRENGTH] FGFMs: Load TLS 1.3 Cipher [TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256] FGFMs: before SSL initialization FGFMs: CA to broadcast: subject fortinet-subca2003, issuer fortinet-ca2 FGFMs: CA to broadcast: subject support, issuer support FGFMs: CA to broadcast: subject fortinet-ca2, issuer fortinet-ca2 FGFMs: CA to broadcast: subject fortinet-subca2001, issuer fortinet-ca2 FGFMs: Broadcast 4 CA subject names to FMG FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS read server hello FGFMs: SSLv3/TLS write change cipher spec FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS read server hello FGFMs: TLSv1.3 read encrypted extensions FGFMs: SSLv3/TLS read server certificate request FGFMs: Got 3 CA subject names from FMG broadcast FGFMs: Remote CA subject is /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com. FGFMs: issuer matching...try next if not match... local_issuer(support), remote_CA_subject(support) FGFMs: CA issuer matched, local=remote=support, will use local certificate id 0 FGFMs: __clt_verify_callback: failed to verify cert 1 (subject support, issuer support), error (certificate is not yet valid) FGFMs: SSL Alert write: fatal bad certificate FGFMs: error
This is because most probably the NTP servers are not reachable, or the time is manually set with a wrong value/at default. Branch1 (global) # execute date current date is: 2000-01-01 Branch1 (global) # execute time current time is: 02:02:47
Branch1 (ntp) # show full config system ntp set ntpsync disable set type fortiguard set syncinterval 60 set source-ip 0.0.0.0 set source-ip6 :: set server-mode enable set authentication disable set interface "fortilink" end Branch1 (global) # diagnose sys ntp status synchronized: no, ntpsync: disabled, server-mode: enabled ipv4 server(ntp2.fortiguard.com) unresolved -- unreachable(0xff) S:0 T:0 no data ipv4 server(ntp1.fortiguard.com) unresolved -- unreachable(0xff) S:0 T:0 no data
Resolution: Ensure the NTP servers are reachable and check whether the date and time are set manually, making sure they match the timezone and settings on both the FortiManager and FortiGate. Note: On v7.4.7 or v7.6.2, if the date and time are set manually, they might be lost after a reboot:Known issues |
