Description
This article describes that when a user tries to connect two FortiGates using a fabric connection, the connection between these two units cannot be established due to an unknown certificate error.
This article describes how to troubleshoot this error.
Scope
FortiGate.
Troubleshooting command.
diagnose debug application csfd -1
dia de en
Output.
<205> 04 nstd_send_pkt()-230
<205> 08 nstd_send_pkt()-253: queuing packet to 34.3.143.156:8013 type:a7 len:15 queu len:1
<205> 04 __nstd_send()-166
<205> 08 __nstd_send()-214: Sending. IS SSL:0 packet type:167 len:15 sent:15 pos:15
<205> 08 __nstd_remove_w_buf()-70: fgt: 34.3.143.156:8013 write queue len after delete:0
<205> 04 nstd_upstream_ssl_connect()-902
<205> 02 nstd_upstream_ssl_connect()-922: err: WANT_READ
<205> 04 nstd_upstream_ssl_connect_hd()-847
<205> 04 nstd_upstream_ssl_connect()-902
<205> 04 nstd_upstream_ssl_connect_ok()-856
<205> 04 nstd_send_hello()-371
<205> 04 nstd_send_pkt()-230
<205> 08 nstd_send_pkt()-253: queuing packet to 34.3.143.156:8013 type:1 len:35 queu len:1
<205> 04 __nstd_send()-166
<205> 08 __nstd_send()-214: Sending. IS SSL:1 packet type:1 len:35 sent:35 pos:35
<205> 08 __nstd_remove_w_buf()-70: fgt: 34.3.143.156:8013 write queue len after delete:0
<205> 04 nstd_recv_hd()-647
<205> 04 __nstd_recv()-636
<205> 02 __ssl_recv()-595: SSL recv error, err:1 ret=0 ssl=error:00000001:lib(0):func(0):reason(1) socket=Success
<205> 02 __ssl_recv()-596: ssl error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
This is because the root CA (which is the upstream link for the leaf), need to trust the leaf 'FG Fortinet_CA and Fortinet_Sub_Ca'.
Solution
- Download from (leaf FG) Fortinet_CA and Fortinet_Sub_Ca.
- Import on root Fortinet_CA and Fortinet_Sub_Ca.
- Restart the csfd process:
dia test app csfd 999.
