Description
This article describes how to troubleshoot the FortiGuard communication problem where web filtering/rating is working but the update fails.
Scope
FortiGate v7.0.x and above.
Solution
Web filter/web rating is working fine:
But, there is a warning 'Unable to connect to FortiGuard servers'.
Performing debug update:
FGT # diagnose debug application update -1
Debug messages will be on for 30 minutes.
FGT # diagnose debug enable
FGT # execute update-now
FGT # upd_pkg_recv[1716]-Error receiving pkg header len=0 hdr=64
__upd_act_update[303]-Failed receiving update rsp
upd_comm_disconnect_fds[499]-Disconnecting FDS 12.34.97.16:443
The solution is to decrease the MTU value on the WAN interface.
config system interface
edit "wan1"
set vdom "root"
set ip 192.168.1.100 255.255.255.0
set type physical
set snmp-index 1
set mtu-override enable -> Execute this command first before setting the MTU.
set mtu 1300
next
end
Cross-check if the MTU is adjusted to the new value:
fnsysctl ifconfig wan1
wan1 Link encap:Ethernet HWaddr AC:71:2E:FB:12:5C
inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1300 Metric:1
RX packets:463440525 errors:0 dropped:0 overruns:0 frame:0
TX packets:229019559 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:504513214234 (469.9 GB) TX bytes:141377840823 (131.7 GB)
The MTU value 1300 will solve the below error 'Failed receiving ha-contract rsp' related to the HA cluster's lost connection with the FortiCloud portal.
2024-12-23 14:20:01 upd_pkg_create_update_req[693]-Update comp 0x410
2024-12-23 14:20:01 pack_obj[185]-Packing obj=Protocol=3.2|Command=Update|Firmware=FG120G-FW-7.02-1706|SerialNumber=FG120GTK24006601|UpdateMethod=0|AcceptDelta=0|Cont
ractItem=FG120GTK24006xxx*FG120GTK24006yyy|DataItem=01000000FSCI00100-00000.00000-0000000000
2024-12-23 14:21:01 upd_pkg_recv[1712]-Error receiving pkg header len=0 hdr=64
2024-12-23 14:22:31 upd_act_virus_stat[565]-Failed receiving ring rsp <----
2024-12-23 14:21:01 __upd_act_update[297]-Failed receiving ha-contract rsp <------
2024-12-23 14:21:01 upd_comm_disconnect_fds[498]-Disconnecting FDS 173.243.142.6:443
2024-12-23 14:21:01 [206] __ssl_data_ctx_free: Done
2024-12-23 14:21:01 [1094] ssl_free: Done
2024-12-23 14:21:01 [198] __ssl_cert_ctx_free: Done
2024-12-23 14:21:01 [1104] ssl_ctx_free: Done
2024-12-23 14:21:01 [1085] ssl_disconnect: Shutdown
2024-12-23 14:21:01 upd_act_HA_contract_info[739]-Error updating FSCI -1
2024-12-23 14:21:01 do_update[678]-UPDATE failed
The Ping Test:
To find the optimum MSS/MTU value of the network, do the 'ping test' to find the MTU and then reduce 40 from that value and set that as tcp-mss in the firewall policy.
For MS Windows OS client, enter:
ping -f -l <size> <server ip>
For Apple MAC OS client, enter:
ping -D -s <size> <server_ip>
From FortiOS, enter:
execute ping-options data-size <size>
execute ping-options df-bit yes
execute ping <server ip>
For a 1500-byte MTU, 1500-28 (20 bytes=IP header and 8 bytes=ICMP header) = 1472.
If the packet needs to be fragmented but the DF bit is set, the MTU is less than 1500 bytes. Suppose it is possible to ping with a size of 1400 but not with a size of 1401, this means that the MTU value is 1400+28=1428 bytes. The solution is either to fix the MTU in the network device or to set the TCP MSS in the firewall policy to 1428-40=1388 bytes.
In this case, 1388 is the MTU size.
config system interface
edit "wan1"
set vdom "root"
set ip 192.168.1.100 255.255.255.0
set type physical
set snmp-index 1
set mtu-override enable -> Execute this command first before setting the MTU.
set mtu 1388
next
end
edit "wan1"
set vdom "root"
set ip 192.168.1.100 255.255.255.0
set type physical
set snmp-index 1
set mtu-override enable -> Execute this command first before setting the MTU.
set mtu 1388
next
end
Related documents:
Technical Tip: Define MTU size larger than 1500 on VLAN interfaces
