Description
This article describes how to remedy the tunnel-down indication with FortiGate Cloud.
Scope
FortiGate Cloud.
Solution
Management Tunnel Down means the unit is not connected to the FortiCloud manager server.
For example:
The following configuration is required on the FortiGate side for the tunnel to work:
config system central-management
set type fortiguard <---
end
Verify also that the FortiGate is logged in to the correct FortiCloud account:
If all the information has been verified and the configuration above is correct, it is also possible to change the update server location from automatic to either usa or eu under the FortiGuard setting:
config system fortiguard
set update-server-location [automatic | usa | eu] <---
end
automatic FortiGuard servers chosen based on closest proximity to FortiGate unit.
usa FortiGuard servers in United States.
eu FortiGuard servers in the European Union.
If SD-WAN is used for the WAN connection, try specifying the interface select method to SD-WAN.
config system fortiguard
set interface-select-method sdwan
end
If the management tunnel is still down, then try to change the encryption to 'default' under central-management settings. By default, the enc-algorithm is set to high.
config system central-management
set enc-algorithm default <---
end
After making the change, restart the forticldd process, which is the FortiCloud process, and run the following command to verify the connection:
diagnose debug reset
diagnose debug application forticldd -1
diagnose debug enable
fnsysctl killall forticldd
From the debug, the connection error can be observed:
[408] ocsp_resp_cb: FATAL: Status checking failed due to missing OCSP/CRL
[1060] ssl_connect: SSL_connect failes: error:141BA126:SSL routines:tls_process_initial_server_flight:ocsp callback failure
[504] fds_https_connect: https_connect(173.243.132.25:443) failed: ssl_connect() failed: 0 (error:00000000:lib(0):func(0):reason(0)).
[668] fds_https_stop_server: 173.243.132.25:443
[206] __ssl_data_ctx_free: Done
[1105] ssl_free: Done
[198] __ssl_cert_ctx_free: Done
[1115] ssl_ctx_free: Done
[1096] ssl_disconnect: Shutdown
With this error, try the following command and restart the FortiCloud process:
config system fortiguard
set fortiguard-anycast disable
set protocol udp
set port 8888
end
To restart the FortiCloud process, use the following command:
fnsysctl killall forticldd
Check also if there is an upstream firewall that could block/inspect outbound traffic from FortiGate to FortiGate Cloud.
Expected Scenarios in which FortiGate will show offline in FortiGate Cloud:
- The device is active in a different region: If an administrator in FortiGate GUI logs out of FortiGate Cloud, and then re-activates the FortiGate Cloud connection to a different region, the device will show offline in the previous region.
- Secondary FortiGate in HA cluster: Only the primary FortiGate in an HA cluster will attempt to connect to FortiGate Cloud. A secondary FortiGate is expected to show Offline.
Note:
If having an 'Unable to connect to FortiGuard Servers' error on the FortiGate, solve that first by referring to this article: Troubleshooting Tip: Unable to connect to FortiGuard servers
If the FortiGate was never able to log in to FortiGate Cloud, no entry will show in the FortiGate Cloud portal. In that case, troubleshoot FortiGate Cloud activation and ensure valid source-ip and interface are configured in the 'config log fortiguard setting'.
See the article Troubleshooting Tip: 'FortiGate Cloud activation failed'.
If the issue persists, create a Technical Support ticket of type FortiGate/FortiGate Cloud through the Support Portal.
Related articles:
Technical Tip: Remote Access to FortiGate not working from FortiGate Cloud
Technical Tip: FortiGate is showing inactive in FortiGate Cloud
Technical Tip: FortiGate slave unit shows management tunnel is down message in FortiCloud