DescriptionThis article provides some basic troubleshooting which can be used when a FortiMail device is not able to register to the FortiGuard Servers.
SolutionCheck that the FortiMail has connection with the following URLs:
# execute ping service.fortiguard.net
# execute ping update.fortiguard.net
If the FortiMail is able to connect with those URLs, the following debug could be enabled to gather more detailed information about how the connection to the FortiGuard Servers is being performed:
# diagnose debug disable
# diagnose debug application updated 7
# diagnose debug enable
# execute update now
An output similar to the one displayed below shows which FortiGuard Server the FortiMail is trying to use for registration and it is can be seen that the connection is using TCP port 443 for encrypted traffic.
upd_daemon.c[783] upd_daemon-try update
upd_daemon.c[377] do_update-Starting scheduled UPDATE (not final retry)
upd_act.c[381] upd_act_update-Trying FDS 173.243.138.78:443 with AcceptDelta=1
upd_comm.c[228] tcp_connect_fds-Proxy tunneling is disabled
If a FortiGate device or firewall from another vendor is being used to
give internet access to the FortiMail make sure that there is no SSL deep
inspection profile enabled into the policy created for it.
If there is no connection restriction into the Firewall that gives Internet access to the FortiMail then the following sniffer could be collected via CLI for further troubleshooting and analysis:
# diagnose sniffer packet any 'host X.X.X.X' 6 0 l
where X.X.X.X is the IP address of the FortiGuard Server collected when running the updated debug.
Open a new SSH session to the FortiMail or use the console included in the GUI interface to run following command:
Let the sniffer run for a while and disable the sniffer using CTRL+C when the output stops to display information.
Related Articles
Technical Note: FortiMail unit can not connect to FortiGuard service
