Problem:

A FortiClient EMS Cloud instance displayed a certificate error due to a mismatch between the server certificate and the previously configured EMS certificate. The issue arose after receiving a notification from Fortinet about a potential EMS connector service disruption because the certificate on the cloud was expiring.

Error Messages:

1. The connection test had an error -4: The server certificate does not match the previously configured EMS certificate.
2. Error in requesting EMS fabric connection: -9901 issue in getting capabilities.

diagnose endpoint fctems test-connectivity 1
Connection test had an error -4: Server certificate does not match previously configured EMS certificate.

When then try to unverify and verify in CLI

## Unverify ##
KMKC01ELIOTVPN01 # exec fctems unverify 1
FortiClient EMS certificate successfully unverified.

## Verify ##
KMKC01ELIOTVPN01 # exec fctems verify 1
Error in requesting EMS fabric connection: -9901
issue in getting capabilities. <
Error (-1@_perform_rest_api:238). (_get_capabilities,435)

Command fail. Return code -9999

Resolution:

1. Check the DNS Configuration:

   The original DNS servers were set to use FortiGuard. However, anycast was disabled in the FortiGuard settings.

2. Change the DNS Servers:

   Modify the DNS servers to Google's public DNS: 8.8.8.8 and 8.8.4.4.

3. Verify the FortiGuard Updates:

   Execute the command to verify the FortiGuard updates:

exec update-now

4. Confirm the Firmware & General Updates contract expiry date:
   Execute the command to verify that FCEM contract is valid:
   

diagnose test update info contract

5. Verify the EMS Configuration:
   Execute the command to verify the EMS configuration:

exec fctems verify 1

After execution, a certification chain is displayed. It is essential to review the details, including the issuer, the validity period, and other related certificate information.

6. Trust the Certificate:
   At the end of the verification process, the system will prompt to confirm if the displayed certificate should be added to the trusted remote certificates. Respond with y to confirm and trust the certificate.
7. Verify Connection Status:

   After successfully configuring and verifying the certificate, the EMS connector should now display as 'Connected' and show a green status.

8. Disable Windows Defender

   If the following error is received and the above steps are not working, disable Windows Defender on the Windows Server where the EMS server is installed.

exe fctems verify < EMS name >
SCBGSPFW1 # execute fctems verify 1
Error in requesting EMS fabric connection: -1
issue in getting capabilities. EMS server was not reached (timeout)
Error (-1@_get_capabilities:446).

Command fail. Return code -9999

diagnose endpoint fctems test-connectivity < EMS name >
diagnose endpoint fctems test-connectivity 1
Connection test had an error -1: EMS server was not reached (timeout)

9. If the EMS is not reachable, run the sniffer packet:

dia sniffer packet any " host < EMS IP address> " 4 0 l

Check whether the traffic is going through via the correct gateway or not.

The route is not configured.

Create a static route for the correct G/w with the outgoing interface.

It will be reachable.

Notes:

• Always make sure to maintain a backup of the original configurations before making any changes.
• Regularly check for certificate expiry dates to prevent unexpected disruptions.
• It is advisable to keep track of notifications from Fortinet for any potential service disruptions or required updates.