Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bvagadia
Staff
Staff

Created on ‎02-19-2022 04:36 AM Edited on ‎10-18-2023 06:07 AM By Community Manager

Article Id 205109

Technical Tip: FortiCare is unreachable

Description This article describes how to troubleshoot when FortiCare shows unreachable while assigning tokens to the user.
Scope FortiGate.
Solution

Make sure that the unit has a default route configured and has available tokens:

 

  1.  The FortiGate gets to the Internet DNS by IPPick an IP address of a publicly available DNS Server and ping it from the CLI of the FortiGate:

 

exec ping 8.8.8.8

 

Output sample:

execute ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=50 time=17.3 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=50 time=17.3 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=50 time=17.3 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=50 time=17.4 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=50 time=17.4 ms
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 17.3/17.3/17.4 ms

 

  1. The FortiGate can resolve FQDNs:

 

exec ping directregistration.fortinet.com
PING directregistration.fortinet.com (63.137.229.3): 56 data bytes
64 bytes from 63.137.229.3: icmp_seq=0 ttl=45 time=162.4 ms
64 bytes from 63.137.229.3: icmp_seq=1 ttl=45 time=162.2 ms
^C
--- directregistration.fortinet.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 162.1/162.2/162.4 ms

 

execute ping fortitokenmobile.fortinet.com
PING fortitokenmobile.fortinet.com (208.91.113.27): 56 data bytes
64 bytes from 208.91.113.27: icmp_seq=0 ttl=45 time=164.3 ms
64 bytes from 208.91.113.27: icmp_seq=1 ttl=45 time=163.6 ms
^C
--- fortitokenmobile.fortinet.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 163.6/163.9/164.3 ms

 

If this test fails: the problem is DNS related. 

Try using a different DNS server until this test can resolve.

 

If using SD-WAN then change the setting to select the outgoing interface on the basis of SD-WAN.

 

If step2. fails, contact Fortinet Technical Support and post collecting the below output with the exact serial number/s of FortiToken that experiencing the issue.

 

Run this CLI command in FortiGate CLI or Console in GUI:

 

       diagnose debug reset

diagnose debug application forticldd -1
diagnose fortitoken debug enable

diagnose fortitoken info
diagnose debug enable

 

Note:

if the FortiGate has been configured in Multi-VDOM mode, the management VDOM must have a default route to the Internet and the commands have to be run from the management VDOM context.

For example, in FortiGate-6000F, 7000E, and 7000F series the management VDOM is called 'mgmt-vdom':

 

      FGT-7000 [FIM01] # config vdom

   FGT-7000 [FIM01] (vdom) # edit mgmt-vdom

   FGT-7000 [FIM01] (mgmt-vdom) # show router static

    config router static
      edit 1
        set gateway 10.x.x.x
        set device <MGMT-INTERFACE-NAME>
      next
    end

FGT-7000 [FIM01] (mgmt-vdom) # execute ping 8.8.8.8
FGT-7000 [FIM01] (mgmt-vdom) # execute ping directregistration.fortinet.com

FGT-7000 [FIM01] (mgmt-vdom) # execute ping fortitokenmobile.fortinet.com

 

 

Related articles:

Troubleshooting Tip: FortiCare unreachable
Labels:
7776
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.