Skip to main content
barisben
barisben
New Member
May 1, 2026
Question

SSL error. (-3) Error FGT and FAZ Connection

  • May 1, 2026
  • 3 replies
  • 191 views

Hey, I've added more than five FortiGate devices with the same firmware version to the newly deployed FortiAnalyzer (using the default certificates, without adding any custom certificate) and did not experience any issues. However, when I try to add one more FortiGate I receive an SSL error (-3). The FortiGate devices that I was able to add and the one that I can't add, all have the same remote ca certificates. There is no connection issue between them by the way, traffic is flowing both ways.

3 replies

msanjaypadma
Staff
msanjaypadma
Staff
May 1, 2026

Hi ​@barisben ,

  • Could you please verify the PMTU for the transit path between the FortiGate device and FAZ? 

  • What is current firmware versions for both the FortiGate and FAZ? 

  • Is the certificate bundle on the FortiGate up to date?
    → You can confirm this by executing the command: # dia autoupdate version. 

  • Could you please specify which default certificate you are currently using?

  • Verify the output of this command :
    #get vpn certificate local details
    #get Fortinet_Factory | grep CN 

    → Verify the CN field its matches with current device serial number or not.
    → If its shows CN “FortiGate” and FortiGate hosted on cloud/vm refer below article to fix this issue.

     

  • Could you export the Fortinet_CA certificate from the FAZ and import it into the FortiGate?
     

If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.

Thanks,
Mayur Padma

    barisben
    barisbenAuthor
    New Member
    May 1, 2026
    • FortiGate Versions → 7.2.11, FortiAnalyzer Version → 7.4.10
    • MTU, MSSs all the same which can connected
    • Certificate Bundle says Result → No Update, so it is up to date
    • FortiAnalyzer uses its own certificate with its serial number and CA Fortinet_CA.
    • CN is my FortiGate’s serial number, so there is no problem with it.
    • Its already imported into the FortiGate, when I try to import it says its already imported.
    msanjaypadma
    Staff
    msanjaypadma
    Staff
    May 2, 2026

    Hi ​@barisben , 

    Could you take sniffer packet capture? and initiate the FAZ connection.
    #dia sniffer packet any “host x.x.x.x” 6 0 a 

    Or try from GUI

    Thanks,
    Mayur Padma

      kaman
      Staff
      kaman
      Staff
      May 3, 2026

      Hi barisben,
       

      If its FortiAnayzer Cloud, then try to modify the FortiAnalyzer Cloud logging configuration as below and check the behaviour afterwards:
       

      config log fortianalyzer-cloud setting
      set status enable
      set ssl-min-proto-version TLSv1-3
      end
       

      If the connection between the FortiGate and FortiAnalyzer is down and got an error 'Failed to get FAZ's status. SSL error. (-3)'
       

      Take the sniffers for the FortiAnalyzer IP and check the connection. And see if capture shows that FortiAnalyzer is sending RST back to FortiGate.
       

      diagnose sniffer packet <Interface> 'host <FortiAnalyzer_IP> and port 514' 4 0 l
       

      Enable reliability for the FortiAnalyzer settings.
       

      config log fortianalyzer setting

          set reliable enable


      Make sure to verify if any certificate has been assigned and check the certificate on both FortiAnalyzer and FortiGate, if they have the same and are valid.
       

      If one of the certificates is missing between FortiAnalyzer and FortiGate, download the certificate from the unit that has the certificate and import it into the unit that does not have the certificate. To clarify further, Local CA certificates of FortiAnalyzer should match the FortiGate Remote CA Certificate section.
       

      Please refer to the document below for more information:

      https://community.fortinet.com/fortigate-3/technical-tip-connectivity-issue-between-fortigate-and-fortianalyzer-ssl-error-103765


      If you have found a solution, please like and accept it to make it easily accessible to others.


      Regards,
      Aman

        Anthony_E
        Staff
        Anthony_E
        Staff
        May 4, 2026

        Hi, 

         

        I see that there is already a solution provided in this post for the same error:

         

        Regards,

        Anthony

        Best Regards
          barisben
          barisbenAuthor
          New Member
          May 4, 2026

          Hey, not solving mine.

          msanjaypadma
          Staff
          msanjaypadma
          Staff
          May 4, 2026

          Hi ​@barisben ,

          As per last communication, you have shared the PCAP, I could see RSH packet from fortigate to FAZ its sent.
          Its only one side packet capture i belive taken on FortiGate only. 

           
          Could you please confirm did FAZ received this packet ?  Can be confirm by taking same sniffer packet on FAZ

          1. If its receives this packet on FAZ, then collect FAZ debug logs as mentioned in below article
          1. Can you try this below ping test  : 
             

            To confirm the MTU size for FortiGate traffic forwarded to FortiAnalyzer by executing the following commands on the FortiGate CLI:

             

            execute ping-options df-bit yes -> do not fragment ICMP packet.
            execute ping-options data-size 1472-> ICMP will add 8 bytes for the ICMP header.
            execute ping x.x.x.x -> where x.x.x.x is FortiAnalyzer-IP.

             

            If there was packet loss, change the data size to 1470/1400/ 1350/ 1320/ 1312 and verify on which data size value there was no packet loss.


            Thanks<
            Mayur Padma
            Terms & ConditionsAccessibility statement