• The FortiGate HA cluster can not connect with the FortiGuard Servers.
• Upon forcing the HA cluster to take the latest update from the FortiGuard, the output shows the message 'Error: 20 (unable to get local issuer certificate)'.

diagnose debug reset

diagnose debug console time enable

diagnose debug app update -1

diagnose debug enable

execute update-now

To disable it:

diagnose debug disable

diagnose debug reset

From the update, face the following error:

upd_act_HA_contract_info[723]-ContractItem FG200Fxxxxxxxxxx70*FG200Fxxxxxxxxxx71
upd_comm_connect_fds[458]-Trying FDS 173.243.140.6:443
[187] ssl_add_ftgd_hostname_check: Add hostname checking 'globalupdate.fortinet.net'
__upd_peer_vfy[329]-Server certificate failed verification. Error: 20 (unable to get local issuer certificate), depth: 0, subject: /jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/serialNumber=3321792/C=US/ST=California/L=Sunnyvale/O=Fortinet, Inc./CN=globalupdate.fortinet.net.
ssl_connect_fds[392]-Failed SSL connecting (5,0,Success)
upd_comm_connect_fds[477]-Failed SSL connect
upd_act_HA_contract_info[745]-Error updating FSCI -1

• To fix the issue, the first solution is to force a hard Failover on the Primary FG200Fxxxxxxxxxx70 with the command:

execute ha failover set

• After the hard HA Failover, force the new Primary FG200Fxxxxxxxxxx71 to retrieve the latest FortiGuard Updates.

• The second solution is to disable the Anycast on the Primary FortiGate FG200Fxxxxxxxxxx70 and retrieve the latest FortiGuard Updates.

config system fortiguard

    set fortiguard-anycast disable

end

Related article:

Troubleshooting Tip: FortiGuard Update Fail - Server certificate failed verification