Skip to main content
A
Anonymous_User
Contributor
June 15, 2006
Question

Can not connect to update servers

  • June 15, 2006
  • 2 replies
  • 6886 views
Hi, I am having problems getting the Fortigate to update. First I had a dns problem which was easy to solve: 
 Thu Jun 15 21:56:11 2006 upd_cfg.c[57] upd_cfg_get_host_by_name-Failed to gethostbyname for fds1.fortinet.com  Thu Jun 15 21:57:11 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect
Using the right DNS server helped. now it says it can' t connect to the update servers: 
 Thu Jun 15 22:16:50 2006 upd_daemon.c[142] do_setup-Starting SETUP  Thu Jun 15 22:17:50 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 22:17:50 2006 upd_act.c[159] upd_act_setup-Failed connecting to 206.191.24.180:443  Thu Jun 15 22:18:54 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 22:18:54 2006 upd_act.c[159] upd_act_setup-Failed connecting to 212.95.252.127:443  Thu Jun 15 22:19:56 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 22:19:56 2006 upd_act.c[159] upd_act_setup-Failed connecting to 217.26.196.37:443
I tried sniffing on the traffic but it returned nothing except my attempts from a local host(using telnet) to see if that could get through: 
 Fortigate-3000 # diagnose sniffer packet any " host  206.191.24.180 or host 65.61.202.129 or host 212.95.252.127 or host 217.26.196.37 or host 64.69.90.228 or host 65.39.139.195"   interfaces=[any]  filters=[host  206.191.24.180 or host 65.61.202.129 or host 212.95.252.127 or host 217.26.196.37 or host 64.69.90.228 or host 65.39.139.195]  nr=8192,fr=1680,b_nr=4096,pg=4096  88.379541 10.95.250.87 -> 64.69.90.228: icmp: echo request  214.004079 10.95.250.87.1271 -> 64.69.90.228.443: syn 1657467624  214.004118 80.80.15.20.45935 -> 64.69.90.228.443: syn 1657467624  214.179886 64.69.90.228.443 -> 80.80.15.20.45935: syn 2861662659 ack 1657467625  214.179905 64.69.90.228.443 -> 10.95.250.87.1271: syn 2861662659 ack 1657467625  214.179911 64.69.90.228.443 -> 10.95.250.87.1271: syn 2861662659 ack 1657467625
We have public IP networks on both the internal and external side, so I was wondering which IP the fortigate would use to connect from(the external ip?). Could any firewall rule block the attempt? Maybe blocked traffic does not show up in the sniffer? I was thinking about logging all blocked traffic in the firewall rules but we have rather many networks, so it would be nice to figure out which IP the fortigate uses when contacting the outside world. Any ideas?

    2 replies

    A
    Anonymous_UserAuthor
    Contributor
    June 15, 2006
    Here' s some more logs: 
      Fortigate-3000 $ diag test update info      Logs: idx=61  Thu Jun 15 22:36:27 2006 upd_act.c[237] upd_act_update-Failed connecting to 64.69.90.228:443  Thu Jun 15 22:37:29 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 22:37:29 2006 upd_act.c[237] upd_act_update-Failed connecting to 65.39.139.195:443  Thu Jun 15 22:37:29 2006 upd_daemon.c[221] do_update-UPDATE failed  Thu Jun 15 22:37:29 2006 upd_daemon.c[609] upd_daemon-Received ring request  Thu Jun 15 22:37:29 2006 upd_daemon.c[296] do_ring-Starting RING  Thu Jun 15 22:38:29 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 22:38:29 2006 upd_act.c[93] upd_act_ring-Failed connecting to 206.191.24.180:443  Thu Jun 15 22:39:30 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 22:39:30 2006 upd_act.c[93] upd_act_ring-Failed connecting to 217.26.196.37:443  Thu Jun 15 22:40:32 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 22:40:32 2006 upd_act.c[93] upd_act_ring-Failed connecting to 65.61.202.129:443  Thu Jun 15 22:41:36 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 22:41:36 2006 upd_act.c[93] upd_act_ring-Failed connecting to 64.69.90.228:443  Thu Jun 15 22:42:38 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 22:42:38 2006 upd_act.c[93] upd_act_ring-Failed connecting to 65.39.139.195:443  Thu Jun 15 22:42:38 2006 upd_daemon.c[300] do_ring-Failed ring  Thu Jun 15 22:42:38 2006 upd_daemon.c[142] do_setup-Starting SETUP  Thu Jun 15 22:43:38 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 22:43:38 2006 upd_act.c[159] upd_act_setup-Failed connecting to 212.95.252.127:443  Thu Jun 15 22:44:42 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 22:44:42 2006 upd_act.c[159] upd_act_setup-Failed connecting to 206.191.24.180:443  Thu Jun 15 22:45:43 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 22:45:43 2006 upd_act.c[159] upd_act_setup-Failed connecting to 217.26.196.37:443  Thu Jun 15 22:46:46 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 22:46:46 2006 upd_act.c[159] upd_act_setup-Failed connecting to 64.69.90.228:443  Thu Jun 15 22:47:47 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 22:47:47 2006 upd_act.c[159] upd_act_setup-Failed connecting to 65.39.139.195:443  Thu Jun 15 22:47:47 2006 upd_daemon.c[159] do_setup-Failed setup  Thu Jun 15 22:47:47 2006 upd_daemon.c[253] do_virus_report-Starting VIRUS REPORT  Thu Jun 15 22:48:47 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 22:48:47 2006 upd_act.c[452] upd_act_virus_stat-Failed connecting to 212.95.252.127:443  Thu Jun 15 22:49:50 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 22:49:50 2006 upd_act.c[452] upd_act_virus_stat-Failed connecting to 65.61.202.129:443  Thu Jun 15 22:50:54 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 22:50:54 2006 upd_act.c[452] upd_act_virus_stat-Failed connecting to 206.191.24.180:443  Thu Jun 15 22:51:57 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 22:51:57 2006 upd_act.c[452] upd_act_virus_stat-Failed connecting to 64.69.90.228:443  Thu Jun 15 22:52:58 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 22:52:58 2006 upd_act.c[452] upd_act_virus_stat-Failed connecting to 65.39.139.195:443  Thu Jun 15 22:52:58 2006 upd_daemon.c[267] do_virus_report-Failed virus report  Thu Jun 15 22:52:58 2006 upd_daemon.c[639] upd_daemon-Received update now request  Thu Jun 15 22:52:58 2006 upd_daemon.c[208] do_update-Starting now UPDATE (final try)  Thu Jun 15 22:53:58 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 22:53:58 2006 upd_act.c[237] upd_act_update-Failed connecting to 206.191.24.180:443  Thu Jun 15 22:54:59 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 22:54:59 2006 upd_act.c[237] upd_act_update-Failed connecting to 212.95.252.127:443  Thu Jun 15 22:56:01 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 22:56:01 2006 upd_act.c[237] upd_act_update-Failed connecting to 217.26.196.37:443  Thu Jun 15 22:57:03 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 22:57:03 2006 upd_act.c[237] upd_act_update-Failed connecting to 64.69.90.228:443  Thu Jun 15 22:58:07 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 22:58:07 2006 upd_act.c[237] upd_act_update-Failed connecting to 65.39.139.195:443  Thu Jun 15 22:58:07 2006 upd_daemon.c[221] do_update-UPDATE failed  Thu Jun 15 22:58:07 2006 upd_daemon.c[609] upd_daemon-Received ring request  Thu Jun 15 22:58:07 2006 upd_daemon.c[296] do_ring-Starting RING  Thu Jun 15 22:59:08 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 22:59:08 2006 upd_act.c[93] upd_act_ring-Failed connecting to 212.95.252.127:443  Thu Jun 15 23:00:11 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 23:00:11 2006 upd_act.c[93] upd_act_ring-Failed connecting to 206.191.24.180:443  Thu Jun 15 23:01:12 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 23:01:12 2006 upd_act.c[93] upd_act_ring-Failed connecting to 217.26.196.37:443  Thu Jun 15 23:02:16 2006 upd_comm.c[501] upd_comm_connect_fds-Failed TCP connect  Thu Jun 15 23:02:16 2006 upd_act.c[93] upd_act_ring-Failed connecting to 64.69.90.228:443    Object versions: 02080000AVDB00099065300606151017                   02080000NIDS00010023000606151002                   02080000RLDB00000000000101010000                   00000000FCNI00000000000000000000                   00000000FDNI00000000000000000000                   00000000FSCI00000000000000000000                   02080000AVEN00200020020601261145                   02080000AVEN00100010000504051628                   02080000PRXY00500010110504051628                   02080000PRXY00300010110504051628                   02080000PRXY00400010110504051628                   02080000PRXY00100010110504051628                   02080000PRXY00200010110504051628                   02080000NIDS00100010000504051630                   02080000NIDS00200010000504051630    FDS List: 212.095.252.127:443 tz=0            206.191.024.180:443 tz=0            217.026.196.037:443 tz=0            064.069.090.228:443 tz=128            065.039.139.195:443 tz=128    Setup done once: no  Next setup retry: Thu Jun 15 23:02:25 2006    Next sched update: Thu Jun 15 23:19:00 2006  Next update retry: none    Next virus report: Thu Jun 15 23:59:48 2006    Ring         counters: pass=000000 fail=000002  Setup        counters: pass=000000 fail=010725  Update       counters: pass=000000 retry_fail=007234 final_fail=003620  Virus report counters: pass=000000 fail=003273 empty_stats=000000        Fortigate-3000 $    
      Fortigate-3000 $ diag sys autoupdate status  FDN availability:  unavailable  Push update:       enabled  Push availability: unknown  Scheduled update: enabled          Update every:   1 hours at 19 minutes after the hour  Virus definitions update: enable  IDS definitions update: enable  Server override: disabled  Push address override: disabled  Web proxy tunneling: disabled      
      Fortigate-3000 $ diag sys autoupdate versions  AV Engine  ---------  Version: 2.002  Contract Expiry Date: Tue Jul 27 01:00:00 2010  Last Update Attempt: Thu Jun 15 22:58:07 2006  Result: Connectivity failure    Virus Definitions  ---------  Version: 6.530  Contract Expiry Date: Tue Jul 27 01:00:00 2010  Last Update Attempt: Thu Jun 15 22:58:07 2006  Result: Connectivity failure    Attack Definitions  ---------  Version: 2.300  Contract Expiry Date: Tue Jul 27 01:00:00 2010  Last Update Attempt: Thu Jun 15 22:58:07 2006  Result: Connectivity failure    IPS Attack Engine  ---------  Version: 1.000  Contract Expiry Date: Tue Jul 27 01:00:00 2010  Last Update Attempt: Thu Jun 15 22:58:07 2006  Result: Connectivity failure    Spam Definitions  ---------  Version: 0.000  Contract Expiry Date: n/a  Last Update Attempt: Thu Jun 15 22:58:07 2006  Result: Connectivity failure      Fortigate-3000 $
    A
    Anonymous_UserAuthor
    Contributor
    June 15, 2006
    A third thing, from the inside, I can ping the external ip of the firewall at 80.80.15.20 and the default gw for the firewall at 80.80.15.17 but the firewall does not get a response when pinging these from the CLI. I feel that I must mention that the traffic to to internet does work . It just seems like the firewall itself, cant go to the internet.
    RickP
    RickP
    New Member
    June 16, 2006
    To get my updates to work, I have to switch communication to the alternate port (8888) from the default of 53 and it worked fine. Not sure if that would make a difference in your case but it' s an easy thing to try...
    Terms & ConditionsAccessibility statement