Description

This article provides some basic troubleshooting steps when an administrator detects a failure on an update process.

Scope

FortiGates with FortiGuard anti virus, web filtering, Licenses and IPS updates.

Solution

During the troubleshooting process, an attempt was made to synchronize the unit with FortiGuard using the following debug flow:

diagnose debug application update -1
diagnose debug enable
execute update-now

To stop the debugs, run the following commands:

diagnose debug disable

diagnose debug reset

Note that in the event log, entries indicate that FortiGuard updates were not successful.

In the debug, the following messages are shown:

**************************Messages**************************

upd_comm.c[430] load_ssl_certificates-Failed loading CA certificate

upd_comm.c[482] ssl_connect_fds-Failed loading SSL certificates

upd_comm.c[620] upd_comm_connect_fds-Failed SSL connect

In some cases, especially when SD-WAN is configured, it is necessary to change the interface-select-method to use SD-WAN: Technical Tip: Use SD-WAN intelligence for selecting interface to use in communicating with FortiGu... 

In the DNS setting, make sure to use the protocol cleartext.

config system dns

set primary 96.45.45.45

set secondary 96.45.46.46

set protocol cleartext

end

After the above commands run the update again, and the following debug will appear:

upd_status_save_status[201]-Wrote status file
__upd_act_update[319]-Package installed successfully
upd_comm_disconnect_fds[500]-Disconnecting FDS 208.184.237.67:443
[206] __ssl_data_ctx_free: Done
[1094] ssl_free: Done
[198] __ssl_cert_ctx_free: Done
[1104] ssl_ctx_free: Done
[1085] ssl_disconnect: Shutdown
do_update[684]-UPDATE successful

Related articles:

Technical Tip: Formatting and loading FortiGate firmware image using TFTP.

Troubleshooting Tip: Diagnosing FortiGuard problems of Antivirus, Intrusion Prevention, Web Filterin....