| Solution |
Symptoms:
After attempting to refresh a device that went offline, FortiManager displays the following message: 'Failed to update device information'.
Analysis:
On the FortiGate, run the following troubleshooting command:
Branch1 (root) # diagnose debug application fgfmd -1
Branch1 (root) # diagnose debug enable
As a result, the FortiGate tells in the debug output that it is not possible to validate the certificate 'Certificate is not yet valid':
Branch1 (root) # FGFMs: Create session 0xa1807b0.
FGFMs: setting session 0xa1807b0 exclusive=0
FGFMs: Connect to 192.168.1.223:541, local 192.168.1.99:3181.
FGFMs: set_fgfm_sni SNI<support.fortinet-ca2.fortinet.com>
FGFMs: Load Cipher [DHE-RSA-AES256-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:@STRENGTH]
FGFMs: Load TLS 1.3 Cipher [TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256]
FGFMs: before SSL initialization
FGFMs: CA to broadcast: subject fortinet-subca2003, issuer fortinet-ca2
FGFMs: CA to broadcast: subject support, issuer support
FGFMs: CA to broadcast: subject fortinet-ca2, issuer fortinet-ca2
FGFMs: CA to broadcast: subject fortinet-subca2001, issuer fortinet-ca2
FGFMs: Broadcast 4 CA subject names to FMG
FGFMs: SSLv3/TLS write client hello
FGFMs: SSLv3/TLS write client hello
FGFMs: SSLv3/TLS read server hello
FGFMs: SSLv3/TLS write change cipher spec
FGFMs: SSLv3/TLS write client hello
FGFMs: SSLv3/TLS write client hello
FGFMs: SSLv3/TLS read server hello
FGFMs: TLSv1.3 read encrypted extensions
FGFMs: SSLv3/TLS read server certificate request
FGFMs: Got 3 CA subject names from FMG broadcast
FGFMs: Remote CA subject is /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com.
FGFMs: issuer matching...try next if not match... local_issuer(support), remote_CA_subject(support)
FGFMs: CA issuer matched, local=remote=support, will use local certificate id 0
FGFMs: __clt_verify_callback: failed to verify cert 1 (subject support, issuer support), error (certificate is not yet valid)
FGFMs: SSL Alert write: fatal bad certificate
FGFMs: error
FGFMs: [__get_error:1043] error=1, errno=0,Success.
FGFMs: Cleanup session 0xa1807b0, 192.168.1.223.
FGFMs: Destroy session 0xa1807b0, 192.168.1.223.
FGFMs: Incoming ::ffff:192.168.1.223 local ::ffff:192.168.1.99.
FGFMs: Create session 0xa1807b0.
FGFMs: checking existing sessions...
FGFMs: set_fgfm_sni SNI<support.fortinet-ca2.fortinet.com>
FGFMs: Load Cipher [DHE-RSA-AES256-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:@STRENGTH]
FGFMs: Load TLS 1.3 Cipher [TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256]
FGFMs: before SSL initialization
FGFMs: CA to broadcast: subject fortinet-subca2003, issuer fortinet-ca2
FGFMs: CA to broadcast: subject support, issuer support
FGFMs: CA to broadcast: subject fortinet-ca2, issuer fortinet-ca2
FGFMs: CA to broadcast: subject fortinet-subca2001, issuer fortinet-ca2
FGFMs: Broadcast 4 CA subject names to FMG
FGFMs: SSLv3/TLS write client hello
FGFMs: SSLv3/TLS write client hello
FGFMs: SSLv3/TLS read server hello
FGFMs: SSLv3/TLS write change cipher spec
FGFMs: SSLv3/TLS write client hello
FGFMs: SSLv3/TLS write client hello
FGFMs: SSLv3/TLS read server hello
FGFMs: TLSv1.3 read encrypted extensions
FGFMs: SSLv3/TLS read server certificate request
FGFMs: Got 3 CA subject names from FMG broadcast
FGFMs: Remote CA subject is /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com.
FGFMs: issuer matching...try next if not match... local_issuer(support), remote_CA_subject(support)
FGFMs: CA issuer matched, local=remote=support, will use local certificate id 0
FGFMs: __clt_verify_callback: failed to verify cert 1 (subject support, issuer support), error (certificate is not yet valid)
FGFMs: SSL Alert write: fatal bad certificate
FGFMs: error
This is because most probably the NTP servers are not reachable, or the time is manually set with a wrong value/at default.
Branch1 (global) # execute date
current date is: 2000-01-01
Branch1 (global) # execute time
current time is: 02:02:47
Branch1 (ntp) # show full
config system ntp
set ntpsync disable
set type fortiguard
set syncinterval 60
set source-ip 0.0.0.0
set source-ip6 ::
set server-mode enable
set authentication disable
set interface "fortilink"
end
Branch1 (global) # diagnose sys ntp status
synchronized: no, ntpsync: disabled, server-mode: enabled
ipv4 server(ntp2.fortiguard.com) unresolved -- unreachable(0xff) S:0 T:0
no data
ipv4 server(ntp1.fortiguard.com) unresolved -- unreachable(0xff) S:0 T:0
no data
Resolution:
Ensure the NTP servers are reachable and check whether the date and time are set manually, making sure they match the timezone and settings on both the FortiManager and FortiGate.
Note:
On v7.4.7 or v7.6.2, if the date and time are set manually, they might be lost after a reboot:Known issues
|
