|
Initially check the connection to FortiGuard as below and the result could potentially show successful ping results:
# execute ping service.fortiguard.net
# execute ping update.fortiguard.net
Check on the debug log to see what would be the potential cause:
# diagnose debug reset
# diagnose debug application update -1
# diagnose debug enable
# fnsysctl killall updated
# execute update-now
If the debug log shows the following, it highlights that FortiGate is having difficulty establishing a TLS handshake with FortiGuard servers, and the following error message can be seen:
# upd_daemon.c[323] do_update-Starting now UPDATE (final try)
# upd_act.c[275] __upd_act_update-Trying FDS 173.243.138.66:443 with AcceptDelta=0
# upd_comm.c[215] tcp_connect_fds-Proxy tunneling is disabled
# upd_comm.c[529] ssl_connect_fds-Poll event error:19
# upd_comm.c[618] upd_comm_connect_fds-Failed SSL connect
One of the potential reasons is that the MTU on the WAN interface may have caused this issue. Changing the MTU value would probably resolve the TLS connection establishment. To change the MTU value of the interface, please refer to the following commands:
# config system interface
# edit wan1
# set mtu-override enable
# set mtu 1462
# end
Re-run the command to register FortiGate to FortiCare or update the definition via FortiGuard:
# diagnose debug reset
# diagnose debug application update -1
# diagnose debug enable
# fnsysctl killall updated
# execute update-now
Now Fortigate would be able to get registered or update successfully:
do_setup[340]-Starting SETUP
upd_fds_load_default_server[924]-Addr=[173.243.141.6], weight=1104122476
upd_fds_load_default_server[941]-Resolve fds ip address OK.
upd_fds_load_default_server6[1046]-Resolve fds ipv6 address failed.
upd_comm_connect_fds[455]-Trying FDS 173.243.141.6:443
[267] __ssl_init: Done
[113] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[480] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
[486] ssl_ctx_use_builtin_store: Enable CRL checking.
[493] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
[755] ssl_ctx_create_new_ex: SSL CTX is created
[782] ssl_new: SSL object is created
[166] ssl_add_ftgd_hostname_check: Add hostname checking 'usupdate.fortinet.net'
[343] __ssl_crl_verify_cb: CRL not found. Depth 0
__upd_peer_vfy[330]-Server certificate OK.
__upd_peer_vfy[330]-Server certificate OK.
__upd_peer_vfy[330]-Server certificate OK.
__upd_peer_vfy[330]-Server certificate OK.
[383] __bio_mem_dump: OCSP status good
pack_obj[185]-Packing obj=Protocol=3.0|Command=VMSetup|Firmware=FGVMK6-FW-7.00-0157|SerialNumber=FGVM01TMYYYYYYYY|Connection=Internet|Address=z.z.z.z:0|Language=en-US|TimeZone=8|UpdateMethod=1|Uid=f2d7fc26af8a4b9c826f378ece503a01|VMPlatform=KVM
get_fcpr_response[297]-Unpacked obj: Protocol=3.0|Response=200|Firmware=FPT033-FW-6.8-0169|SerialNumber=FPT-FGT-DELL1004|Server=FDSG|Persistent=false|PEER_IP=x.x.x.x
get_fcpr_response[337]-Wan ip=[x.x.x.x]
upd_vm_cfg_set_status[235]-Saved status code 200
upd_comm_disconnect_fds[496]-Disconnecting FDS 173.243.141.6:443
[203] __ssl_data_ctx_free: Done
[1046] ssl_free: Done
[195] __ssl_cert_ctx_free: Done
[1056] ssl_ctx_free: Done
[1037] ssl_disconnect: Shutdown
do_setup[350]-SETUP successful
|
