Description
This article provides some basic troubleshooting steps when an administrator detects a failure on an update process.
Scope:
FortiGates with FortiGuard anti virus, web filtering, Licenses and IPS updates.
Solution
During the troubleshooting process, an attempt was made to synchronize the unit with FortiGuard using the following debug flow:
diag debug application update -1
diag debug enable
exec update-now
Note that in the event log, entries indicate that FortiGuard updates were not successful.
In the debug, the following messages are shown:
**************************Messages**************************
upd_comm.c[430] load_ssl_certificates-Failed loading CA certificate
upd_comm.c[482] ssl_connect_fds-Failed loading SSL certificates
upd_comm.c[620] upd_comm_connect_fds-Failed SSL connect
One of the reasons for the failure is that the certificate Fortinet_CA_SSLProxy is not available. To fix this, reinstall FortiOS.
After reinstalling FortiOS, FortiGate will be able to reach FortiGuard Services.
Additionally, make sure the FortiGuard settings and DNS settings are as follows:
config system fortiguard
set fortiguard-anycast disable
set protocol udp
set port 8888
set update-server-location usa
set sdns-server-ip "208.91.112.220"
end
In the DNS setting make sure you use the protocol cleartext.
config system dns
set primary 96.45.45.45
set secondary 96.45.46.46
set protocol cleartext
end
After the above commands run the update again and you will see the following debug:
upd_status_save_status[201]-Wrote status file
__upd_act_update[319]-Package installed successfully
upd_comm_disconnect_fds[500]-Disconnecting FDS 208.184.237.67:443
[206] __ssl_data_ctx_free: Done
[1094] ssl_free: Done
[198] __ssl_cert_ctx_free: Done
[1104] ssl_ctx_free: Done
[1085] ssl_disconnect: Shutdown
do_update[684]-UPDATE successful
Related articles:
