Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Dhruvin_patel
Staff
Staff

Created on ‎11-02-2025 07:01 AM

Article Id 416592

Troubleshooting Tip: VPN geo-location map does not show the exact location of the VPN user

Description

The article describes the steps to resolve the issue of determining the exact location of the VPN users.
Scope

FortiGate.
Solution

The VPN location map shows the country from where the VPN user is connected, but it does not show the exact location.

When trying from the CLI to find the VPN user location, it gives the following error:

 

diagnose geoip geoip-query xxx.xxx.xx.xx

Error while getting geoip info (err:-4)

 

xxx.xxx.xx.xx is the VPN user public IP.

 

The error 'Error while getting geoip info (err:-4)' means the system cannot contact the required GeoIP database due to a network or DNS issue, or a failed update.

 

To resolve this issue, follow the steps defined below:

 

  • Check connectivity to the FortiGuard servers by ensuring the FortiGate can correctly resolve DNS for the following hostnames:

 

execute ping service.fortiguard.net

execute ping update.fortiguard.net

execute ping guard.fortinet.net

execute ping globalgip.fortinet.net

 

To further troubleshoot FortiGuard connectivity issues, refer to Troubleshooting Tip: Unable to connect to FortiGuard servers.

 

  • Check the current version of the GeoIP database:

 

diagnose autoupdate versions | grep -A7 Geo
IP Geography DB
---------
Version: 3.00300
Contract Expiry Date: n/a
Last Updated using manual update on Tue Sep 30 18:43:00 2025
Last Update Attempt: Tue Oct 7 09:05:43 2025
Result: No Updates

 

To update the GeoIP database, run the following command:

 

execute update-geo-ip 
 
If the database has not been updated, please refer to the document below: How to update the GeoIP database 
 
  • Change the FortiGuard settings from the default configuration.

 

config system fortiguard
    set fortiguard-anycast disable
    set protocol udp
    set port 8888
    set auto-firmware-upgrade disable
    set sdns-server-ip "208.91.112.220" "173.243.140.53" "210.7.96.53"
end

 

After following the above steps, the FortiGate should be able to determine the exact location of the connected VPN user.

 

kb.PNG

 

CLI:

 

diagnose geoip geoip-query 174.116.88.73
IP: xxx.xxx.xx.xx
{
"city":{
"geoname_id":8581623,
"names":{
"en":"Ottawa"
}
},
"continent":{
"code":"NA",
"names":{
"en":"North America"
}
},
"country":{
"iso_code":"CA",
"names":{
"en":"Canada"
}
},
"subdivisions":[
{
"iso_code":"ON",
"names":{
"en":"Ontario"
}
}
],
"location":{
"latitude":45.421532,
"longitude":-75.697189,
"time_zone":"America\/Toronto"
},
"postal":{
"code":"K2P"
}
}
143
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.