|
FortiGuard communication with FortiGate is self-generated traffic for an update request. FortiGate checks the route to the FortiGuard IP and selects the source interface and IP address. If VDOM is enabled on the FortiGate, FortiGuard communication is handled by the Management VDOM.
FortiGate's default configuration of FortiGuard is 'Anycast'. The FortiGate connects to a single server address, regardless of where it is located. To check the status of FortiGuard Anycast servers: FortiGuard Anycast Query Status.
With Anycast disabled, the FortiGate must keep a list of servers that it tries, and if one fails, it switches to another.
config system fortiguard
set fortiguard-anycast enable
end
When ‘anycast’ is enabled, FortiGate uses HTTPS communication to FortiGuard on port 443:
- Enable debug commands by running the following.
diagnose debug reset
diagnose debug application update -1
diagnose debug console timestamp enable
diagnose debug en
- Initiate an update query by running:
execute update-now
- Check the debug logs for any SSL connection errors like 'Failed SSL connect'.
fgt01-d641-patologia # do_update[414]-Starting now UPDATE
upd_cfg_get_host6_by_name[116]-Failed to get ipv6 address for update.fortiguard.net
upd_fds_load_default_server6[864]-Failed resolve ipv6 address.
upd_comm_connect_fds[446]-Trying FDS 96.45.33.86:443
[111] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[457] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
[463] ssl_ctx_use_builtin_store: Enable CRL checking.
[470] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
[721] ssl_ctx_create_new_ex: SSL CTX is created
[748] ssl_new: SSL object is created
__upd_peer_vfy[324]-Server certificate OK.
__upd_peer_vfy[324]-Server certificate OK.
ssl_connect_fds[393]-Poll timeout
[201] __ssl_data_ctx_free: Done
[1012] ssl_free: Done
[193] __ssl_cert_ctx_free: Done
[1022] ssl_ctx_free: Done
upd_comm_connect_fds[464]-Failed SSL connect
do_update[426]-UPDATE failed
- Find the FortiGuard server IP address and collect the given sniffer command output when initiating an update request by running the ‘execute update-now’ command.
For example:
diagnose sniffer packet any ‘host 96.45.33.86’ 6 0 l
If VDOM is enabled, it is necessary to collect sniffer command output from the Management VDOM.
5. Check the packet capture and verify the SSL handshake.
- A failed SSL connection indicates that the SSL handshake was not completed. Mostly, SSL inspection is performed at the upstream firewall, which alters the FortiGuard server certificate. Try disabling SSL Inspection from the upstream Firewall.
- Alternatively, try changing the FortiGuard Port to 8888 and the protocol to UDP after disabling 'anycast'. Use the following commands.
config system fortiguard
set fortiguard-anycast disable
set port 8888
set protocol udp
end
-
This issue can also happen due to a change in the MTU value by the ISP. In such a scenario, server hello may not be received from the FortiGuard servers, which can be verified by taking a packet capture on the WAN link. Try lowering the TCP MSS on the WAN interface.
config system interface
edit wan <-- WAN interface name.
set tcp-mss 1350 <-- Once the issue is fixed, this number can be adjusted.
end
Related articles:
Troubleshooting Tip: Fortiguard Update Fail - Server certificate failed verification
Technical Tip: Failed to contact FortiGuard servers due to unknown CA
|
