The management connectivity status is down on the FortiCloud Network Overview page.
The useful commands below can check the related error message.
# diag debug app forticldd -1 # diag debug enable # diag fdsm log-controller-update
Then replicate the issue to generate log, disable debugging after done:
# diag deb dis # diag deb reset
The error message below is regarding the TLS version causing the SSL connection problem.
[40] fds_queue_task: req-101 is added to message-controller [568] fds_https_start_server: server: 208.91.113.184:443 [569] fds_https_start_server: source-ip: 0.0.0.0:0 [112] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default) [722] ssl_ctx_create_new_ex: SSL CTX is created [749] ssl_new: SSL object is created [80] https_create: proxy server 0.0.0.0 port:0 [968] ssl_connect: SSL_connect failes: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version [475] fds_https_connect: https_connect(208.91.113.184:443) failed: ssl_connect() failed: 6 (error:00000000:lib(0):func(0):reason(0)). [202] __ssl_data_ctx_free: Done [1013] ssl_free: Done [194] __ssl_cert_ctx_free: Done [1023] ssl_ctx_free: Done [1004] ssl_disconnect: Shutdown [217] fds_svr_default_on_error: message-controller: ip=208.91.113.184:443, reason=4 [234] fds_svr_default_on_error: message-controller: Conn failes 1/1 [254] fds_svr_default_on_error: message-controller: req-id=101, num_try=1, read=0, reason=4 [93] fds_mctrl_update_done: update task was not successful.
The TLS version can be modified on the global setting below.
# config system global
(global) # set ssl-min-proto-version TLSv1-2 <----- Modified it from TLSv1-3 to TLSv1-2. (global) # end
The SSL connection is established after modifying the TLS version.
568] fds_https_start_server: server: 208.91.113.103:443 [569] fds_https_start_server: source-ip: 0.0.0.0:0 [112] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default) [722] ssl_ctx_create_new_ex: SSL CTX is created [749] ssl_new: SSL object is created [80] https_create: proxy server 0.0.0.0 port:0 [481] fds_https_connect: https_connect(208.91.113.103:443) is established. [267] fds_svr_default_on_established: log-controller has connected to ip=208.91.113.103:443 [274] fds_svr_default_on_established: server-log-controller handles cmd-111
|