Description
This article explains troubleshooting steps for cases where FortiGate cannot connect to FortiGuard servers and does not have direct access to the internet.
Scope
FortiGate v5.4, v5.6, v6.0, v6.2, v6.4.
Solution
First, troubleshoot the connection with a debug log:
# diag debug application update -1
# diag debug enable
# exec update-now
Note the following output:
[357] __ssl_crl_verify_cb: Cert error 20, unable to get local issuer certificate. Depth 0
__upd_peer_vfy[331]-Server certificate failed verification. Error: 20 (unable to get local issuer certificate), depth: 0, subject: .
[967] ssl_connect: SSL_connect failes: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
ssl_connect_fds[389]-Failed SSL connecting (5,0,Success)
In the packet capture:
The issue is caused by another upstream unit (such as another FortiGate or 3rd party firewall) replacing the certificate of the connection. Because the replacement certificate is unknown to the local FortiGate, the SSL Handshake fails.
If the issue is caused by an upstream FortiGate, configure it to not perform 'deep inspection' of the traffic going to the local FortiGate. Use a similar process if the problem is caused by a 3rd party unit.
Related Articles:
Technical Tip: Unable to load FortiGuard DDNS server list
Technical Tip: Unable to connect to FortiGuard servers
Technical Tip: FortiGuard is not reachable via Anycast default method
