Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ssanga
Staff & Editor
Staff & Editor

Created on ‎10-18-2024 09:33 AM Edited on ‎11-25-2025 03:14 PM By Community Manager

Article Id 350299

Troubleshooting Tip: FGFM tunnel connection to FortiManager fails due to a mismatched Serial Number and Local Certificate

Description This article describes how to address an issue where a FortiGate device in an HA cluster cannot connect to FortiManager due to a mismatch between the serial number in its local certificate and the serial number expected by FortiManager.
Scope FortiGate v7.2.8.
Solution

The HA secondary unit may incorrectly synchronize its local certificate with the primary unit's local certificate during the HA synchronization process. As a result, the secondary FortiGate might end up with the primary's serial number in its local certificate instead of its own.

Example output of the local certificate on both FortiGates:

 

fw01# get vpn certificate local details
== [ Fortinet_Factory ]
Name: Fortinet_Factory
Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG180FTK2390XXXX, emailAddress = support@fortinet.com
Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = fortinet-subca201, emailAddress = support@fortinet.com
Valid from: 2023-09-13 01:53:38 GMT
Valid to: 2056-05-26 20:48:33 GMT
Fingerprint: 56:F8:57:16:E6:1D:58:79::3C:86:4D:25:5E
Serial Num: 02:67:5a:25

fw02 # get vpn certificate local details
== [ Fortinet_Factory ]
Name: Fortinet_Factory
Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG180FTK2390XXXX, emailAddress = support@fortinet.com
Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = fortinet-subca201, emailAddress = support@fortinet.com
Valid from: 2023-09-13 01:53:38 GMT
Valid to: 2056-05-26 20:48:33 GMT
Fingerprint: 56:F8:57:16:E6:1D:58:79::3C:86:4D:25:5E
Serial Num: 02:67:5a:25


When HA failover is triggered, the secondary FortiGate becomes the new primary and may encounter issues connecting to FortiManager.
This is because of the serial number mismatch in its local certificate that the FortiManager expects during the communication process (such as in the 'get auth' or 'get ip' messages).

The following errors may be seen in the FGFM debugs:

 

FGFMs: Connect to 192.168.69.9:541, local 192.168.24.20:14465.
FGFMs: cert_id<0>, sni<fortinet-ca2.>FGFMs: cert_id<1>, sni<fortinet-ca2.support.>FGFMs: set_fgfm_sni SNI<fortinet-ca2.support.fortinet.com>
FGFMs: Load Cipher [DHE-RSA-AES256-SHA256:AES256-SHA256:SHA256:AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128
-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA38
4:DHE-RSA-AES128-SHA256:@STRENGTH]
FGFMs: before SSL initialization
FGFMs: SSLv3/TLS write client hello
FGFMs: SSLv3/TLS write client hello
FGFMs: SSLv3/TLS read server hello
FGFMs: TLSv1.3 read encrypted extensions
FGFMs: SSLv3/TLS read server certificate request
FGFMs: SSLv3/TLS read server certificate
FGFMs: Remote issuer is /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com.
FGFMs: issuer matching...try next if not match... localissuer(fortinet-subca201), remoteissuer(support)
FGFMs: need change local cert to ISSUER[support]
FGFMs: reload cert at client side
ISSUER [/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com]


This issue has been resolved in FortiOS versions 7.0.16, 7.2.9, 7.4.5, and 7.6.0.

Workaround:

On FortiManager:

This check can be manually disabled globally on the FortiManager side with the following CLI commands:


config system global

    set fgfm-peercert-withoutsn enable <-- Deprecated on v7.2.10/7.4.6/v7.6.1 onward.

end

 

On FortiGate:

A temporary workaround for these versions would be to failover the cluster back to the former primary, so that the SN in the CN field of the Certificate, which is presented to FortiManager, is the same as the SN of the device trying to establish the connection.

 

Logs required by FortiGate TAC for investigation:

 

  1. TAC Report:

 

execute tac report

 

  1. Debugs on FortiGate:

diagnose debug reset
diagnose debug application fgfm 255
diagnose debug console time enable
diagnose debug enable

 

  1. Debugs on FortiManager.

diagnose debug reset
diagnose debug application fgfmsd 255 <deviceName> 
diagnose debug time enable
diagnose debug enable

 

To disable debugs:


diagnose debug disable
diagnose debug reset

 

Related documents:

Troubleshooting Tip: Registering FortiGate HA Cluster in FortiManager: Serial Number Mismatch Inside... 
3692
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.