Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tonylin1
Staff
Staff

Created on ‎12-17-2025 10:55 PM Edited on ‎01-14-2026 02:00 PM By Community Manager

Article Id 423475

Technical Tip: The FortiClient EMS server connection fails because the server is not compatible

Description This article describes how to fix the issue when the FortiClient EMS server connection fails because the server is not compatible.
Scope FortiOS v7.4.9.
Solution

Check that the FortiClient EMS and FortiOS are compatible via the following link: FortiClient Windows, macOS, Linux Compatibility with FortiClient EMS.

 

Below is the error shown in the CLI:

 

diagnose test application fcnacd 2
EMS context status:


FortiClient EMS number 1:
name(id): EMS(1) confirmed: yes
is global: true
interface vdom: root
fetched-serial-number: FCTEMSxxxxxxxxxx
fetched-tenant-id: 00000000000000000000000000000000
user-data:
verified capabilities: true
verified identity: true
interface-selection-method: 0
verify-peer-method: 3
ztna-public-key:0x7f97b692b2e0
Websocket status: connected, oif: 0

 

execute fctems verify 1
Error in requesting EMS fabric connection: -5
issue in getting capabilities. EMS server connection failed because the server is not compatible. received https code 500
Error (-1@_get_capabilities:461).

 

Run the fcnacd debug:

 

diagnose debug application fcnacd -1.

diagnose debug enable

.......................

2025-11-25 13:00:13 [ec_ez_worker_process:400] Processing call for obj-id: 0, entry: "api/v1/system/serial_number"
2025-11-25 13:00:13 [_update_obj_stats:365] Storing (0, EMS, 17)
2025-11-25 13:00:13 [ec_ez_worker_process:458] Call completed with failure.
obj-id: 0, desc: "REST API to get EMS Serial Number.", entry: "api/v1/system/serial_number".
error info: Error (-1@__generic_process_result_ex:205). Error: http code 500

 

The reason for this issue is related to the 'preserve-ssl-session' option in the EMS configuration. This option determines whether fcnacd reuses an SSL session for communication with EMS. Currently, reusing the SSL session cache causes fcnacd to send a PSK instead of a certificate chain for verification, while EMS does not support PSK for most of its APIs. Therefore, a connection issue occurs when a client enables "preserve-ssl-session".

 

To solve the issue, first attempt:

 

config endpoint-control fctems

    edit <id>

        set preserve-ssl-session disable

    end

end

 

If the problem persists, remove the Fabric EMS connector and reconfigure a new entry that includes the above command.

To test the connectivity, run the command below:

 

diagnose endpoint fctems test-connectivity 1
325
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.