Technical Tip: Security fabric connection cannot be established due to unknown certificate error

bvata · ‎06-18-2020

Description
When a user tries connect two FortiGates using fabric connection, the connection between these two units cannot be established due to unknown certificate error.

This article describes how to troubleshot this error.

Troubleshooting command.

# diagnose debug application csfd -1
dia de en

Output.

<205> 04 nstd_send_pkt()-230
<205> 08 nstd_send_pkt()-253: queuing packet to 34.3.143.156:8013 type:a7 len:15 queu len:1
<205> 04 __nstd_send()-166
<205> 08 __nstd_send()-214: Sending. IS SSL:0 packet type:167 len:15 sent:15 pos:15
<205> 08 __nstd_remove_w_buf()-70: fgt: 34.3.143.156:8013 write queue len after delete:0
<205> 04 nstd_upstream_ssl_connect()-902
<205> 02 nstd_upstream_ssl_connect()-922: err: WANT_READ
<205> 04 nstd_upstream_ssl_connect_hd()-847
<205> 04 nstd_upstream_ssl_connect()-902
<205> 04 nstd_upstream_ssl_connect_ok()-856
<205> 04 nstd_send_hello()-371
<205> 04 nstd_send_pkt()-230
<205> 08 nstd_send_pkt()-253: queuing packet to 34.3.143.156:8013 type:1 len:35 queu len:1
<205> 04 __nstd_send()-166
<205> 08 __nstd_send()-214: Sending. IS SSL:1 packet type:1 len:35 sent:35 pos:35
<205> 08 __nstd_remove_w_buf()-70: fgt: 34.3.143.156:8013 write queue len after delete:0
<205> 04 nstd_recv_hd()-647
<205> 04 __nstd_recv()-636
<205> 02 __ssl_recv()-595: SSL recv error, err:1 ret=0 ssl=error:00000001:lib(0):func(0):reason(1) socket=Success
<205> 02 __ssl_recv()-596: ssl error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca

This is because the root CA (which is the upstream link for the leaf), need to trust the leaf 'FG Fortinet_CA and Fortinet_Sub_Ca'.

Solution
1) Download from (leaf FG) Fortinet_CA and Fortinet_Sub_Ca.

2) Import on root Fortinet_CA and Fortinet_Sub_Ca.

3) Restart the csfd process : # dia test app csfd 99.