- Trying to enable EMS cloud with a brand new setup will generate an error stating that the cloud is 'unreachable'.
Note: Make sure that the DNS server is reachable and FortiGate can resolve forticlient-emsproxy.forticloud.com.
- Checking the output of the following command in the CLI of FortiGate will provide the error shown below:
execute fctems verify <EMS ID>
This command verifies FortiGate to FortiClient EMS connectivity.
For example:
execute fctems verify 1
Error in requesting EMS fabric connection: -1
issue in getting capabilities. EMS server was not reached (timeout)
Error (-1@_get_capabilities:446).
- Additionally, the output of the following command will produce the error shown below:
diagnose endpoint fctems test-connectivity <EMS ID>
For example:
This command will test the connectivity between FortiGate and EMS.
diagnose endpoint fctems test-connectivity 1
Connection test had an error -1: EMS server was not reached (timeout)
- Checking the debug outputs will show the same timeout error:
diagnose debug app fcnacd -1
diagnose endpoint filter show-large-data yes
diagnose debug enable
Replicate the issue.
diagnose debug disable
diagnose debug reset
error info: Error (ec_ems_rest_api_preprocess_result:66). CURL error: (28)Timeout was reached. (_process_pub_addr,751)Issue in pre-processing the result
- To get rid of this error, follow these steps:
- Run the following commands:
diagnose debug application update -1
diagnose debug enable
execute update-now
- If the update is successful and the same connection error is faced, specify the source IP under:
config endpoint-control fctems
edit <EMS ID>
set source-ip <any_ip>
end
Additionally, traffic can be dropped due to MTU and fragmentation problems between the FortiGate and FortiClient EMS Server network path. Use the following FortiGate CLI commands to do an ICMP test between FortiGate and FortiClient EMS Server:
execute ping-options data-size 1400
execute ping <EMS Server IP or domain-name>
Note: The data size is calculated as MTU size minus 28 bytes (20 bytes for the IP header and 8 bytes for the ICMP header). For an MTU of 1500, the data size is 1472 bytes.
If the ping is successful, increase the data size incrementally and repeat the test until the ping fails. If the ping fails, decrease the data size until the maximum size that succeeds is found.
The largest data size that succeeds without fragmentation is the path's maximum MTU. This process helps determine the smallest MTU along the network path.
Adjust the FortiGate interface MTU accordingly with the results of the test above.
config system interface
edit <INTERFACE-NAME>
set mtu-override enable
set mtu <VALUE>
end
- Run the following:
execute fctems verify 1
After running the command above, a certificate prompt will appear and ask for confirmation of the server certificate. When configuring a new connection to an EMS server, the certificate might not be trusted.
EMS configuration needs user to confirm server certificate.
Do you wish to add the above certificate to trusted remote certificates? (y/n)y
- After pressing Y, make sure to authorize the FortiGate on the FortiClient EMS Cloud server.
- After running these commands, refresh the connection with the FortiClient EMS Cloud. It should have connected successfully.
Related documents:
|
