Description
This article describes how to remedy the tunnel-down indication with FortiGate Cloud.
Scope
FortiGate Cloud.
Solution
Management Tunnel Down means the unit is not connected to the FortiCloud manager server. For example:
The following configuration is required on the FortiGate side for the tunnel to work:
config system central-management
set type fortiguard <---
end
Verify also that the FortiGate is logged in to the correct FortiCloud account:
If all the information has been verified and the configuration above is correct, alternatively, it is possible to change the update server location from automatic to either usa or eu under the FortiGuard setting:
config system fortiguard
set update-server-location [automatic | usa | eu] <---
end
automatic FortiGuard servers chosen based on closest proximity to FortiGate unit.
usa FortiGuard servers in United States.
eu FortiGuard servers in the European Union.
If SD-WAN is used for the WAN connection, try specifying the interface select method to SD-WAN.
config system fortiguard
set interface-select-method sdwan
end
If the management tunnel is still down, then try to change the encryption to 'default' under central-management settings. By default, the enc-algorithm is set to high.
config system central-management
set enc-algorithm default <---
end
After making the change, restart the forticldd process, which is the FortiCloud process:
fnsysctl killall forticldd
Also, check if there is an upstream firewall that could block/inspect outbound traffic from FortiGate to FortiGate Cloud.
Expected Scenarios in which FortiGate will show offline in FortiGate Cloud:
- The device is active in a different region: If an administrator in FortiGate GUI logs out of FortiGate Cloud, and then re-activates the FortiGate Cloud connection to a different region, the device will show offline in the previous region.
- Secondary FortiGate in HA cluster: Only the primary FortiGate in an HA cluster will attempt to connect to FortiGate Cloud. A secondary FortiGate is expected to show Offline.
Note:
If having an 'Unable to connect to FortiGuard Servers' error on the FortiGate, solve that first by referring to this article: Troubleshooting Tip: Unable to connect to FortiGuard servers.
If the FortiGate was never able to login to FortiGate Cloud, no entry will show in the FortiGate Cloud portal. In that case, troubleshoot FortiGate Cloud activation and ensure valid source-ip and interface are configured in the 'config log fortiguard setting'. See the article 'FortiGate Cloud activation failed'.
If the issue persists, create a Technical Support ticket of type FortiGate/FortiGate Cloud through the Support Portal.
Related articles:
Technical Tip: Remote Access to FortiGate not working from FortiGate Cloud
Technical Tip: FortiGate is showing inactive in FortiGate Cloud
Technical Tip: FortiGate slave unit shows management tunnel is down message in FortiCloud
