Description
This article describes the first workaround steps in case of a FortiCloud connection failure. FortiCloud connection failures could also manifest as upgrade errors, FortiToken, or Licensing registration errors:
Solution
- Check the Internet connectivity, and make sure that it can resolve the hostname 'logctrl1.fortinet.com'.
execute ping logctrl1.fortinet.com
PING logctrl1.fortinet.com (208.91.113.103)
- Check the DNS cache to 'logctrl1.fortinet.com'.
diagnose test application dnsproxy 7
vfid=0, name=logctrl1.fortinet.com, category=255, ttl=10386:9724:1138
208.91.113.103 (ttl=10412)
- Check the FortiGuard Log setting.
config log fortiguard setting
(setting) # show full-configuration
config log fortiguard setting
set status enable
set ssl-min-proto-version default
set source-ip 0.0.0.0
set interface-select-method auto
set upload-option 5-minute
set priority default
set max-log-rate 0
set enc-algorithm high
set conn-timeout 10
end
Note.
If there is no successful FortiCloud activation it cannot adjust the above settings and the status will be set to disable.
- Check FDS status for account ID.
diagnose test application forticldd 1
System=FGT Platform=Fortigate_Model
Management vdom: root, id=0, ha=master.
acct_id=User_ID@company_id.com
acct_st=OK
FortiGuard log: status=enabled, full=overwrite, ssl_opt=3, source-ip=0.0.0.0
Centra Management: type=FGD, flags=000000bf.
active-tasks=0
- Validate FortiCloud log state:
The server status is 'Down'.
For FortiOS 7.2.3 and below:
diagnose test application miglogd 20
For FortiOS 7.2.4 and above:
diagnose test application fgtlogd 20
diagnose test application fgtlogd 20
Home log server:
Address: 208.91.113.241:514, st: down
oftp status: connecting
spos: 0, slen: 0
rpos: 0, rlen: 12
Alternative log server:
Address: 208.91.113.201:514, st: down
oftp status: connecting
spos: 0, slen: 0
rpos: 0, rlen: 12
Active log server: ALTER
Number of log task: 1024
Number of task in list: 1024
Debug zone info:
Server IP: 208.91.113.241
Server port: 514
Server status: down
Log quota: 102400MB
Log used: 224MB
Daily volume: 20480MB
FDS arch pause: 0
fams archive pause: 0
stats: total=95970, acked=0, discard=94946, rejected=0
Other examples:
FGT # diagnose test application forticldd 3
Debug zone info:
Domain:GLOBAL
Home log server: 173.243.132.171:514
Alt log server: 173.243.132.132:514
Active Server IP: 173.243.132.132
Active Server status: unknown
Log quota: 3145728MB
Log used: 0MB
Daily volume: 20480MB
fams archive pause: 0
APTContract : 0
APT server: 0.0.0.0:0
APT Altserver: 0.0.0.0:0
Active APTServer IP: 0.0.0.0
Active APTServer status: unknown
FGT # diagnose test application miglogd 20
Home log server:
Address: 173.243.132.171:514
Alternative log server:
Address: 173.243.132.143:514
oftp connection haven't been established
Debug zone info:
Server IP: 173.243.132.143
Server port: 514
Server status: unknown
Log quota: 3145728MB
Log used: 0MB
Daily volume: 20480MB
FDS arch pause: 0
fams archive pause: 0
- Change the FortiGuard Log setting:
Change 'set enc-algorithm high' from 'High' to 'default'.
- Validate the FortiCloud log state.
The server status is 'UP'.
diagnose test application miglogd 20
Home log server:
Address: 208.91.113.194:514, st: up
oftp status: established
spos: 521, slen: 521
rpos: 24, rlen: 24
Alternative log server:
Address: 208.91.113.101:514, st: unknown
oftp connection haven't been established
Active log server: HOME
Number of log task: 0
Number of task in list: 0
Debug zone info:
Server IP: 208.91.113.194
Server port: 514
Server status: up
Log quota: 102400MB
Log used: 394MB
Daily volume: 20480MB
FDS arch pause: 0
fams archive pause: 0
stats: total=610774, acked=610774, discard=0, rejected=0
- Test connectivity to TCP port 514 on the FortiGateCloud servers from the FortiGate.
A successful telnet confirming TCP port 514 is open and working.
execute telnet 173.243.132.171 514
Trying 173.243.132.171...
Connected to 173.243.132.171. <- The console may freeze for a few moments then drop the connection with the following message.
Connection closed by foreign host.
A failed telnet connection indicates that TCP port 514 is being blocked before reaching the FortiGateCloud server.
execute telnet 173.243.132.171 514
Trying 173.243.132.171...
Timeout!
Failed to connect to specified unit.
If there is no response from the server, change the outgoing interface.
config log fortiguard setting
set interface-select-method specify
set interface port1 <- Specify the outgoing interface.
end
- The FortiGate unit is using its routing table, to route the self-originated traffic to FortiGate Cloud.
If the configured default route does not allow Internet access, and the traffic must originate from the specific network to be routed, for example via IPsec tunnel, a source IP can be specified in the log settings in CLI, to allow the FortiGate unit to reach the FortiGateCloud servers:
config log fortiguard setting
set status enable
set ssl-min-proto-version default
set source-ip <IP-address (0.0.0.0 by default)>
set interface-select-method auto
end
This source-ip must be the IP address of some of the FortiGate interfaces.
- Other useful troubleshooting information can be collected using the below commands:
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application forticldd -1
diagnose debug enable
fnsysctl killall forticldd
The last command will restart the FortiCloud process and after a minute, it is possible to stop the outputs: 'diagnose debug disable' 'diagnose debug reset'.
- If the above commands do not resolve the issue and still do not see the logs being sent over to the FortiCloud. Restart the FortiGate log daemon by running the below command as this restarts the log daemon on the firewall
fnsysctl killall fgtlogd
It is possible to use the IP information from the output in packet captures:
diagnose sniffer packet any 'host <IP from previous output>' 4 0 l