FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ekrishnan
Staff
Staff
Description This article describes how to Identify and solve DNS issue while provisioning Free FortiToken. 
Scope  
Solution

Sometimes, when trying to assign a FortiToken to the users in FortiGate, an error message: 'FortiCare Unreachable' can appear.

 

One possibility of this error is due to DNS unable to resolve the hostname.

 

Perform a ping as per below in FortiGate:

 

# execute ping fds1.fortinet.com
# execute ping directregistration.fortinet.com

 

The ping fails with the message: 'unable to resolve hostname'.

 

Now, run the debug commands below, simultaneously ping the FQDN:

 

directregistration.fortinet.com on FortiGate.

 

# diag debug application dnsproxy -1

# diag debug enable

 

# execute ping directregistration.fortinet.com

 

The DNS debug result will show output similar to below.

 

Output from DNS debug:

 

last_tx=0 ftg_last_tx=0 domain=directregistration.fortinet.com (orig id: 0x0000 local id:0x0000 active)
[worker 0] dns_send_request()-1302
[worker 0] dns_query_get_local_id()-352: Cannot find local id (number of queries: 18)

 

- Cannot find local ID in the output means its not releasing the local-ID resource.

 

To resolve:

 

Restart DNS proxy using the below command:

 

# diag test application dnsproxy 99

 

Once the DNS proxy daemon has been restarted check the ping again and this time the ping should be successful and further the FortiTokens can be provisioned to the intended users.

Contributors