Skip to main content
spathak
Staff
spathak
Staff
February 3, 2025

Troubleshooting Tip: How to fix a connectivity issue between FortiGate and FortiManager/FortiAnalyzer caused by MSS

  • February 3, 2025
  • 0 replies
  • 2378 views
Description This article describes a case where an MSS value can cause a connectivity issue between FortiGate and FortiManager/FortiAnalyzer and how to fix it.
Scope FortiGate, FortiManager, FortiAnalyzer.
Solution

While configuring FortiManager under Central Management, FortiGate encounters the error 'Verify FortiManager Serial Number'.

Error screenshot.png

 

To troubleshoot this error, port 541 must be allowed across the network and can be verified by telnet over port 541.

On FortiGate:

To confirm the reachability to FortiManager over port 541, run the following command:

 

execute telnet <FMG_IP> 541

 

If FortiGate is connected to FortiManager via port 541, the next step is to analyze the traffic using a sniffer on port 541.

Open 2 PuTTY sessions:

One for FortiGate and the other for FortiManager. Run them simultaneously.


On FortiGate:


diagnose sniffer packet any "host <FortiManager_IP> and port 541" 3 0

 

On FortiManager:

 

diagnose sniffer packet any "host <FortiGate_IP> and port 541" 6 0

 

Run the following commands to run the debug processes on FortiManager:

 

These debug commands are used to collect detailed logs during configuration installation from FortiManager to FortiGate. The debug output shows FortiManager–FortiGate communication, policy package and object installation processing, validation responses on the FortiGate. This information helps identify failures such as installation timeouts, object conflicts, database mismatches, or management tunnel communication errors.

 

diagnose debug reset
diagnose debug application fgfmsd -1 

diagnose debug timestamp enable
diagnose debug enable

 

To generate the traffic from FortiGate to FortiManager, select OK from FortiGate under Security Fabric -> Fabric Connectors -> Central Management (FortiManager) -> Select OK.

Analyze the TCP 3-way handshake and look for the MSS value. The MSS value leaving FortiGate must be the same once it arrives at FortiManager and vice-versa, i.e, MSS must not be clamped in the network.

If the MSS value changes (MSS clamped), it may result in multiple retransmissions, and the communication will eventually be dropped.
During FortiGate-FortiManager debugging, an error may be observed: 'Connection was interrupted. sockevents[-1] sslerr[1]'.

MSS_image.png

 

In this scenario, try to set the tcp-mss value to 1300 on the FortiGate interface that communicates with FortiManager.

On FortiGate:

 

config system interface
    edit <interface name>
        set tcp-mss 1300
end

 

Later, try to re-configure FortiManager under the Central Management.
Security Fabric -> Fabric Connectors -> Central Management (FortiManager) -> Select OK.

Related articles:
Troubleshooting Tip: How to troubleshoot connectivity issues between FortiGate and FortiManager
Technical Tip: Behavior of TCP-MSS setting under system interface

Technical Tip: Setup custom certificate for FGFM protocol
      Terms & ConditionsAccessibility statement