| Description | This article describes how to resolve the 'Unable to load VPN map from server' error. |
| Scope | FortiGate, IPSec VPN, VPN, 7.0.11 and above, 7.2.1 and above. |
| Solution |
When selecting 'VPN Location Map', sometimes the GUI may not load and will instead raise the error 'Unable to load VPN map from the server'. For example:
Step 1: Check DNS and Connectivity to mapserver.fortinet.com.
exe ping mapserver.fortinet.com Unable to resolve hostname.
In this case, the FortiGate is unable to resolve the name. Ensure that the DNS settings in the FortiGate by going to Network -> DNS.
exe ping mapserver.fortinet.com PING mapserver.fortinet.com (208.91.114.183): 56 data bytes
--- mapserver.fortinet.com ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss
In this case, the FortiGate can resolve the name correctly but there is no connectivity.
exe ping mapserver.fortinet.com PING mapserver.fortinet.com (208.91.114.183): 56 data bytes 64 bytes from 208.91.114.183: icmp_seq=0 ttl=57 time=54.9 ms 64 bytes from 208.91.114.183: icmp_seq=1 ttl=57 time=55.7 ms 64 bytes from 208.91.114.183: icmp_seq=2 ttl=57 time=54.5 ms 64 bytes from 208.91.114.183: icmp_seq=3 ttl=57 time=54.5 ms 64 bytes from 208.91.114.183: icmp_seq=4 ttl=57 time=54.5 ms
--- mapserver.fortinet.com ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 54.4/54.4/54.4 ms
Check connectivity on port 443.
exe telnet mapserver.fortinet.com 443 Trying 208.91.114.183... Connected to 208.91.114.183
Step 3: A feature to validate certificates of 'mapserver.fortinet.com' was introduced in v7.2.1 and v7.0.11. FortiGate's default certificate store does not trust all of the certificates in the chain of 'mapserver.fortinet.com' to load.
After manually downloading all CA in the chain from 'mapserver.fortinet.com' and uploading them to FortiGate as a trusted CA, the VPN Location Map will successfully load. See the steps below.
Related article: |
