Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
iskandar_lie
Staff
Staff

Created on ‎05-24-2023 07:53 AM Edited on ‎03-27-2025 01:20 AM By Moderator

Article Id 257783

Troubleshooting Tip: FortiGuard Communication problem: web filtering/rating is working but the update fails

Description

 

This article describes how to troubleshoot the FortiGuard communication problem where web filtering/rating is working but the update fails.

 

Scope

 

FortiOS v7.0.x and above.

 

Solution

 

Web filter/web rating is working fine:

 

webfilter.PNG

 

But, there is a warning 'Unable to connect to FortiGuard servers'.

 

unable to connect to fguard.PNG

 

Performing debug update:

 

FGT # diagnose debug application update -1
Debug messages will be on for 30 minutes.

FGT # diagnose debug enable

FGT # execute update-now

FGT # upd_pkg_recv[1716]-Error receiving pkg header len=0 hdr=64
__upd_act_update[303]-Failed receiving update rsp
upd_comm_disconnect_fds[499]-Disconnecting FDS 12.34.97.16:443

 

The solution is to decrease the MTU value on the WAN interface.


config system interface
    edit "wan1"
        set vdom "root"
        set ip 192.168.1.100 255.255.255.0
        set type physical
        set snmp-index 1
        set mtu-override enable -> Execute this command first before setting the MTU. 
        set mtu 1300
    next
end

 

Cross-check if the MTU is adjusted to the new value:

 

fnsysctl ifconfig wan1
wan1 Link encap:Ethernet HWaddr AC:71:2E:FB:12:5C
inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1300 Metric:1
RX packets:463440525 errors:0 dropped:0 overruns:0 frame:0
TX packets:229019559 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:504513214234 (469.9 GB) TX bytes:141377840823 (131.7 GB)

 

The MTU value 1300 will solve the below error 'Failed receiving ha-contract rsprelated to the HA cluster's lost connection with the FortiCloud portal.

 

2024-12-23 14:20:01 upd_pkg_create_update_req[693]-Update comp 0x410
2024-12-23 14:20:01 pack_obj[185]-Packing obj=Protocol=3.2|Command=Update|Firmware=FG120G-FW-7.02-1706|SerialNumber=FG120GTK24006601|UpdateMethod=0|AcceptDelta=0|Cont
ractItem=FG120GTK24006xxx*FG120GTK24006yyy|DataItem=01000000FSCI00100-00000.00000-0000000000
2024-12-23 14:21:01 upd_pkg_recv[1712]-Error receiving pkg header len=0 hdr=64

2024-12-23 14:22:31 upd_act_virus_stat[565]-Failed receiving ring rsp  <<<<<<<<<<
2024-12-23 14:21:01 __upd_act_update[297]-Failed receiving ha-contract rsp  <<<<<<<<
2024-12-23 14:21:01 upd_comm_disconnect_fds[498]-Disconnecting FDS 173.243.142.6:443
2024-12-23 14:21:01 [206] __ssl_data_ctx_free: Done
2024-12-23 14:21:01 [1094] ssl_free: Done
2024-12-23 14:21:01 [198] __ssl_cert_ctx_free: Done
2024-12-23 14:21:01 [1104] ssl_ctx_free: Done
2024-12-23 14:21:01 [1085] ssl_disconnect: Shutdown
2024-12-23 14:21:01 upd_act_HA_contract_info[739]-Error updating FSCI -1
2024-12-23 14:21:01 do_update[678]-UPDATE failed

 

Related article:

Technical Tip: Define MTU size larger than 1500 on VLAN interfaces

1943
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.