Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kgeorge
Staff
Staff

Created on ‎10-22-2025 03:10 AM Edited on ‎10-22-2025 09:35 PM By Community Manager

Article Id 415546

Technical Tip: FortiGate unable to integrate with the FortiClient EMS Server with error 'EMS Unreachable'

Description

 

This article describes how to troubleshoot and resolve the issue of FortiGate not communicating with the FortiClient EMS server, with the Connection status showing 'EMS unreachable'. The error occurs when the FortiGate is unable to establish a connection with the FortiClient EMS server.

 

Scope

 

FortiGate, FortiClient EMS.

 

Solution

 

There can be a situation where, after integrating FortiGate with FortiClient EMS, FortiGate shows up on the FortiClient EMS side as Authorized; however, the FortiClient EMS Connection status on FortiGate still shows 'EMS Unreachable' in the Fabric Connector.

 

Unreachable.png

The Connection status would intermittently show 'EMS unreachable' or 'Connected', and the 'execute fctems verify' would show a different error each time.

 

Test the connectivity between FortiGate and EMS using the following command:

 

diagnose endpoint fctems test-connectivity <EMS name>


The following are some sample outputs of 'execute fctems verify <EMS name>'.

 

Error in requesting EMS fabric connection: -1
issue in getting capabilities. EMS server was not reached (timeout)
Error (-1@_get_capabilities:446).

 

Error in requesting EMS fabric connection: -1
Issue in verifying certificate: EMS server was not reached (timeout)
Error (-1@ec_ems_get_server_cert:732).

 

Apparently, FortiGate and the FortiClient EMS server would be reachable to each other, and there are no communication issues between them, like ping and telnet.

 

In such cases, verify if there are any intermediary devices between FortiGate and FortiClient EMS. In some scenarios, there would be L3 switches acting as a gateway between these devices.

 

If any MTU sizes are configured on those intermediary devices, the above issue can be observed. Adjusting the exit interface of FortiGate to match the MTU size of those intermediary devices will resolve this issue.

 

Involve the Support Team of that intermediary device to check for logs and packet captures to see if there are any blocks or dropped sessions.

 

For instance, if the L3 Switch is Arista, the support details are available on this official contact page below:

Arista Customer Support

103
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.