FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
yangw
Staff
Staff
Description This article describes when the FortiCloud management connectivity status is down on FortiGate and how to troubleshoot it.
Scope FortiOS 6.2.
Solution

The management connectivity status is down on the FortiCloud Network Overview page.

 

Forticloud mgmt down.PNG

 

The useful commands below can check the related error message.

 

# diag debug app forticldd -1
# diag debug enable
# diag fdsm log-controller-update


Then replicate the issue to generate log, disable debugging after done:


# diag deb dis
# diag deb reset

 

The error message below is regarding the TLS version causing the SSL connection problem.

 

[40] fds_queue_task: req-101 is added to message-controller
[568] fds_https_start_server: server: 208.91.113.184:443
[569] fds_https_start_server: source-ip: 0.0.0.0:0
[112] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[722] ssl_ctx_create_new_ex: SSL CTX is created
[749] ssl_new: SSL object is created
[80] https_create: proxy server 0.0.0.0 port:0
[968] ssl_connect: SSL_connect failes: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
[475] fds_https_connect: https_connect(208.91.113.184:443) failed: ssl_connect() failed: 6 (error:00000000:lib(0):func(0):reason(0)).
[202] __ssl_data_ctx_free: Done
[1013] ssl_free: Done
[194] __ssl_cert_ctx_free: Done
[1023] ssl_ctx_free: Done
[1004] ssl_disconnect: Shutdown
[217] fds_svr_default_on_error: message-controller: ip=208.91.113.184:443, reason=4
[234] fds_svr_default_on_error: message-controller: Conn failes 1/1
[254] fds_svr_default_on_error: message-controller: req-id=101, num_try=1, read=0, reason=4
[93] fds_mctrl_update_done: update task was not successful.

 

The TLS version can be modified on the global setting below.

 

# config system global

(global) # set ssl-min-proto-version TLSv1-2  <----- Modified it from TLSv1-3 to TLSv1-2.
(global) # end

 

The SSL connection is established after modifying the TLS version.

 

568] fds_https_start_server: server: 208.91.113.103:443
[569] fds_https_start_server: source-ip: 0.0.0.0:0
[112] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[722] ssl_ctx_create_new_ex: SSL CTX is created
[749] ssl_new: SSL object is created
[80] https_create: proxy server 0.0.0.0 port:0
[481] fds_https_connect: https_connect(208.91.113.103:443) is established.
[267] fds_svr_default_on_established: log-controller has connected to ip=208.91.113.103:443
[274] fds_svr_default_on_established: server-log-controller handles cmd-111

Contributors