Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff

Created on ‎08-05-2016 06:47 PM Edited on ‎01-28-2025 05:11 AM By Staff

Article Id 196104

Troubleshooting Tip: FortiCloud connection failure

Description

 
This article describes the first workaround steps in case of a FortiCloud connection failure. FortiCloud connection failures could also manifest as upgrade errors, FortiToken, or Licensing registration errors:
 
2024-09-11_Error.png

 

Scope

 

FortiCloud, FortiGate.


Solution

 
  1. Check the Internet connectivity, and make sure that it can resolve the hostname 'logctrl1.fortinet.com'.

    execute ping logctrl1.fortinet.com
    PING logctrl1.fortinet.com (208.91.113.103)

  2. Check the DNS cache to 'logctrl1.fortinet.com'.

    diagnose test application dnsproxy 7
    vfid=0, name=logctrl1.fortinet.com, category=255, ttl=10386:9724:1138
      208.91.113.103 (ttl=10412)

  3. Check the FortiGuard Log setting.

    config log fortiguard setting
    (setting) # show full-configuration
    config log fortiguard setting
        set status enable
        set ssl-min-proto-version default
        set source-ip 0.0.0.0
        set interface-select-method auto
        set upload-option 5-minute
        set priority default
        set max-log-rate 0
        set enc-algorithm high
        set conn-timeout 10
    end

    Note.
    If there is no successful FortiCloud activation it cannot adjust the above settings and the status will be set to disable.

  4. Check FDS status for account ID.

    diagnose test application forticldd 1
    System=FGT Platform=Fortigate_Model
    Management vdom: root, id=0,  ha=master.
    acct_id=User_ID@company_id.com
    acct_st=OK
    FortiGuard log: status=enabled, full=overwrite, ssl_opt=3, source-ip=0.0.0.0
    Centra Management: type=FGD, flags=000000bf.
    active-tasks=0

  5. Validate FortiCloud log state:
    The server status is 'Down'.

    For FortiOS 7.2.3 and below:

    diagnose test application miglogd 20

    For FortiOS 7.2.4 and above:

    diagnose test application fgtlogd 20


    diagnose test application fgtlogd 20
    Home log server:
    Address: 208.91.113.241:514, st: down
    oftp status: connecting
    spos: 0, slen: 0
    rpos: 0, rlen: 12
    Alternative log server:
    Address: 208.91.113.201:514, st: down
    oftp status: connecting
    spos: 0, slen: 0
    rpos: 0, rlen: 12
    Active log server: ALTER

    Number of log task: 1024
    Number of task in list: 1024
    Debug zone info:
    Server IP: 208.91.113.241
    Server port: 514
    Server status: down
    Log quota: 102400MB
    Log used: 224MB
    Daily volume: 20480MB
    FDS arch pause: 0
    fams archive pause: 0
    stats: total=95970, acked=0, discard=94946, rejected=0

    Other examples:

    FGT # diagnose test application forticldd 3
    Debug zone info:
    Domain:GLOBAL
    Home log server: 173.243.132.171:514
    Alt log server: 173.243.132.132:514
    Active Server IP: 173.243.132.132
    Active Server status: unknown
    Log quota: 3145728MB
    Log used: 0MB
    Daily volume: 20480MB
    fams archive pause: 0
    APTContract : 0
    APT server: 0.0.0.0:0
    APT Altserver: 0.0.0.0:0
    Active APTServer IP: 0.0.0.0
    Active APTServer status: unknown

  6. Change the FortiGuard Log setting:
    Change 'set enc-algorithm high' from 'High' to 'default'.

  7. Validate the FortiCloud log state.
    The server status is 'UP'.

    diagnose test application fgtlogd 20
    Home log server:
        Address: 208.91.113.194:514, st: up
        oftp status: established
        spos: 521, slen: 521
        rpos: 24, rlen: 24
    Alternative log server:
        Address: 208.91.113.101:514, st: unknown
        oftp connection haven't been established
    Active log server:  HOME
     Number of log task:     0
    Number of task in list: 0
    Debug zone info:
        Server IP:      208.91.113.194
        Server port:    514
        Server status:  up
        Log quota:      102400MB
        Log used:       394MB
        Daily volume:   20480MB
        FDS arch pause: 0
        fams archive pause: 0
    stats: total=610774, acked=610774, discard=0, rejected=0

  8. Test connectivity to TCP port 514 on the FortiGateCloud servers from the FortiGate.
    A successful telnet confirming TCP port 514 is open and working.

    execute telnet 173.243.132.171 514
    Trying 173.243.132.171...
    Connected to 173.243.132.171. <- The console may freeze for a few moments then drop the connection with the following message.
    Connection closed by foreign host.

    A failed telnet connection indicates that TCP port 514 is being blocked before reaching the FortiGateCloud server.

    execute telnet 173.243.132.171 514
    Trying 173.243.132.171...
    Timeout!
    Failed to connect to specified unit.

    If there is no response from the server, change the outgoing interface.


    config log fortiguard setting
        set interface-select-method specify

        set interface port1 <- Specify the outgoing interface.

    end

     

  9. The FortiGate unit is using its routing table, to route the self-originated traffic to FortiGate Cloud.

    If the configured default route does not allow Internet access, and the traffic must originate from the specific network to be routed, for example via IPsec tunnel, a source IP can be specified in the log settings in CLI, to allow the FortiGate unit to reach the FortiGateCloud servers:

    config log fortiguard setting
        set status enable
        set ssl-min-proto-version default
        set source-ip <IP-address (0.0.0.0 by default)>
        set interface-select-method auto
    end

 

This source must be the IP address of some of the FortiGate interfaces.

Other useful troubleshooting information can be collected using the below commands:

 

diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application forticldd -1
diagnose debug enable  

 

Note:
From the debug, if the following error 'FATAL: Status checking failed due to missing OCSP/CRL' was observed, try the following command to disable anycast:

config system fortiguard

    set fortiguard-anycast disable

    set protocol udp

    set port 8888

end

 

After that, restart the FortiCloud process, and use the following command:

 

fnsysctl killall forticldd

 

Then, run these commands to restart the FortiCloud process.  The first command will list the process ID, and replace the x's in the second command with the ID:

diag sys process pidof forticldd 
diag sys kill 11 xxx

 

Use the following commands to stop the debug, the console will take the keyboard input even while filing up:

diagnose debug disable' 'diagnose debug reset

If the above commands do not resolve the issue and logs are still not sent to the FortiCloud, restart the FortiGate log daemon by running the commands below. The first command will list the process ID, and replace the x's in the second command with the ID:

diag sys process pidof fgtlogd  
diag sys kill 11 xxx

It is possible to use the IP information from the output in packet captures:

diagnose sniffer packet any 'host <IP from previous output>' 4 0 l

Labels:
64526
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.