This article describes how to troubleshoot FortiGate Cloud Logging unreachable: 'tcps connect error'.

FortiGate Cloud central management shows connected, but the FortiGate Cloud logging is unreachable.

Use the command below to check the FortiGate Cloud connection.

FortiOS v7.2.3 and below:

diagnose test application miglogd 20

FortiOS v7.2.4 and above:

diagnose test application fgtlogd 20

FGT # diagnose test application miglogd 20
Home log server:
Address: 154.52.10.139:514
Alternative log server:
Address: 154.52.10.133:514
FazCloud log server:
Address:
oftp connection haven't been established
Debug zone info:
Server IP: 154.52.10.133
Server port: 514
Server status: unknown
Server log status: enabled
Log quota: 500000000MB
Log used: 0MB
Daily volume: 1000000MB
FDS arch pause: 0
fams archive pause: 0

The account is registered:

FGT # diagnose test application forticldd 1
System=FGT Platform=FGT80F
Management vdom: root, id=0, ha=primary.
acct_id=fortinet@customer.de
acct_st=OK

Debug miglogd shows Bound interface index: 0 - tcps connect error:

FGT # diagnose debug application miglogd -1 

FGT # 2023-01-11 08:50:08 <299> __get_log_proc_ctx()-955: Warning: vfid=1 max_vfid=16 reqlen=104 logid=14 flags=0x400
2023-01-11 08:50:08 miglog_socket_set_interface()-225: Binded interface index: 0.
2023-01-11 08:50:08 pid:299-__oftp_connect()-878: failed to connect tcp.
2023-01-11 08:50:08 miglog_socket_set_interface()-225: Binded interface index: 0.
2023-01-11 08:50:09 pid:201-__oftp_connect()-878: failed to connect tcp.
2023-01-11 08:50:09 <201> miglog_start_rmt_conn()-1553: oftp_connect(fds) failed: tcps connect error.

Sniffer communication port (TCP port  514) for logging to FortiGate Cloud, logging is sent out via vsys_hamgmt or Reserved Management Interface:

FGT # diagnose sniffer packet any "port 514" 4
interfaces=[any]
filters=[port 514]
122.049115 vsys_hamgmt out 127.0.0.1.5595 -> 127.0.0.1.514: syn 483511894
122.049127 vsys_hamgmt in 127.0.0.1.5595 -> 127.0.0.1.514: syn 483511894
122.049169 vsys_hamgmt out 127.0.0.1.514 -> 127.0.0.1.5595: rst 0 ack 483511895
122.049174 vsys_hamgmt in 127.0.0.1.514 -> 127.0.0.1.5595: rst 0 ack 483511895

This is because 'ha-direct' is enabled. When 'ha-direct' is enabled under HA configuration, all logging services (FortiAnalyzer, FortiGate Cloud, Syslog, etc.) will use the Reserved Management Interface for outgoing traffic.

FGT# config system ha 

    set ha-direct enable   <--- default setting is disabled.
end

In order to avoid the logging sent out via the Reserved Management Interface, 'ha-direct' needs to be disabled. 

FGT# config system ha 

    set ha-direct disable
end

 
Another way to resolve the issue is to give an internet connection to the Reserve Management Interface in order for the FortiGate to reach the FortiGate Cloud Server.

If this 'ha-direct' has to be enabled for logging purposes, follow this KB article:

Technical Tip: How to specify an outgoing interface for logging to external devices in a FortiGate c... 

Related documents:

Routing data over the HA management interface

Managing individual cluster units using a reserved management interface