Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gpap_FTNT
Staff
Staff

Created on ‎02-23-2021 06:23 AM Edited on ‎10-28-2024 07:57 AM By Moderator

Article Id 189678

Technical Tip: Failed to contact FortiGuard servers due to unknown CA

Description

 

This article explains troubleshooting steps for cases where FortiGate cannot connect to FortiGuard servers and does not have direct access to the internet.

 

Scope

 

FortiGate.

 

Solution

 

  1. Enable debug commands by running the following:

 

diagnose debug reset

diagnose debug application update -1

diagnose debug console timestamp enable

diagnose debug enable

 

  1. Initiate an update query by running:

 

execute update-now

 

  1. Check the  debug output:

 

[357] __ssl_crl_verify_cb: Cert error 20, unable to get local issuer certificate. Depth 0
__upd_peer_vfy[331]-Server certificate failed verification. Error: 20 (unable to get local issuer certificate), depth: 0, subject: .
[967] ssl_connect: SSL_connect failes: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
ssl_connect_fds[389]-Failed SSL connecting (5,0,Success)

 

  1. Find the FortiGuard server IP address and collect the given sniffer command output when initiating an update request by running:

 

execute update-now

 

Example:

 

diag sniffer packet any ‘host x.x.x.x’ 6 0 l <----- Replace x.x.x.x with FortiGuard server IP address.

 

If VDOM is enabled, collect sniffer command output from Management VDOM.

In the packet capture.

 

 
The issue is caused by another upstream unit (such as another FortiGate or 3rd party firewall) replacing the certificate of the connection. Because the replacement certificate is unknown to the local FortiGate, the SSL Handshake fails.


If the issue is caused by an upstream FortiGate, configure it to not perform a 'deep inspection' of the traffic going to the local FortiGate. Use a similar process if the problem is caused by a 3rd party unit.

If verifying that there is no upstream unit or any device that is doing the inspection and still experiencing the issue. This might be happening because the certificate bundle is missing some Public certificates. 

 

2023-08-29 13_15_54-Clipboard.png

 

It is possible to try to change the Fortiguard Port to 8888 and the protocol to UDP. This can only be done after disabling the 'anycast'. Use the following commands 

 

config system fortiguard

   set fortiguard-anycast disable

   set port 8888

   set protocol udp

   end


Note:
If the issue still persists with the same error, try to enable fortiguard-anycast under 'config system fortiguard' by unsetting the other changes done such as sdns-server-ip, port, and protocol.

config system fortiguard
  set fortiguard-anycast enable
end

Related articles:

Technical Tip: Unable to load FortiGuard DDNS server list

Technical Tip: Unable to connect to FortiGuard servers

Technical Tip: FortiGuard is not reachable via Anycast default method

Troubleshooting Tip: FortiGuard DDNS IP update fails

15220
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.