Troubleshooting Tip: Common issues while adding FortiGate to FortiManager, and their solutions

pdhillon · ‎06-13-2025

Description

This article explains the various errors that may be encountered while adding a new FortiGate to FortiManager, and the possible solutions.

Scope

FortiGate, FortiManager.

Solution

When onboarding FortiGate to FortiManager, it is usually a seamless process, but issues may occur for various reasons. In this article the most common issues seen are discussed along with their solutions.

To start troubleshooting the issue, review the event logs on the FortiManager, as well as run fgfmsd debugs which gives a direction to look to find the root cause of the issue. Follow the instructions in Technical Tip: How to troubleshoot connectivity issues between FortiGate and FortiManager to run fgfmsd debugs on the FortiManager.

Scenario 1: When trying to add a FortiGate to FortiManager, an error message 'unregistered device ignored' may occur in the FortiManager Fgfmsd debugs. This error occurs if 'fgfm-deny-unknown' is enabled on the FortiManager. To resolve this, either follow the special instructions to add FortiGate to FortiManager as described in the following KB or disable this setting:

config system global
set fgfm-deny-unknown enable
end

Instructions to add FortiGate to FortiManager with fgfm-deny-unknown enable: Technical Tip: How to add FortiGate with its current config to FortiManager when 'set fgfm-deny-unkn....

Debugs snippet:

": "<unknown>", "version": 700}, "from": 1}, "url": "dvm\/cmd\/manage\/device"}], "session": -1}
FGFMs(FG101F1111111111-302-2.2.2.27): server:
get connect_tcp
localid=10744
chan_window_sz=32768
deflate=gzip
tcp_port=80

bind /var/tmp/fgfm/.fos.FG101F1111111111.rpc-FMG-0000000000-VLW1Gc OK.
Response [unknown]:{ "id": 9501, "result": [{ "status": { "code": -20012, "message": "Unregistered device ignored"}, <-----
"url-"dvm\/cmd\/manage\/device"}]}
FGFMs(probing...): Cleanup session 0x556647524780, 1.1.1.1.
FGFMs(probing...): Destroy session 0x556647524780, 1.1.1.1.
FGFMs(FG101F1111111111-302-2.2.2.27): fgfm_tcp_chan.c,__chan_write,278:error.
FGFMs(FG101F1111111111-302-2.2.2.27): Destroy tcp channnel local_id=16568, remote_id=10744, sock_rd=492, sock_wr=634, sock_size=0, c

Scenario 2: In this scenario, FortiManager is showing an 'unknown CA' error in the debugs. This error could be seen on the FortiManager while adding a new FortiGate to FortiManager, and, for example, an intermediate CA is missing on the FortiManager. Ensure that all necessary CA certificates are present on the FortiManager to resolve this issue.

Debugs:

2025-06-03 13:44:48 FGFMs: issuer matching...try next if not match... local_issuer(Test Server CA 019), remote_CA_subject(Local Root CA )
2025-06-03 13:44:48 FGFMs: Remote CA subject is /C=GB/O=Test hlc/CN=LOcal Root CA .
2025-06-03 13:44:48 FGFMs: issuer matching...try next if not match... local_issuer(fortinet-subca2001), remote_CA_subject(LOcal Root CA )
2025-06-03 13:44:48 FGFMs: Remote CA subject is /C=GB/O=Test hlc/CN=LOcal Root CA .
2025-06-03 13:44:48 FGFMs: issuer matching...try next if not match... local_issuer(support), remote_CA_subject(LOcal Root CA )
2025-06-03 13:44:48 FGFMs: No more valid certificates
2025-06-03 13:44:48 FGFMs: ssl_proto.c,642: TLSv1.3 SSLv3/TLS write certificate
2025-06-03 13:44:48 FGFMs: ssl_proto.c,642: TLSv1.3 TLSv1.3 write server certificate verify
2025-06-03 13:44:48 FGFMs: ssl_proto.c,642: TLSv1.3 SSLv3/TLS write finished
2025-06-03 13:44:48 FGFMs: ssl_proto.c,642: TLSv1.3 TLSv1.3 early data
2025-06-03 13:44:48 FGFMs: ssl_proto.c,744: TLSv1.3 read fatal alert: unknown CA
2025-06-03 13:44:48 FGFMs: ssl_proto.c,759: TLSv1.3 error
2025-06-03 13:44:48 FGFMs: ssl_proto.c,__get_error,1519, error=1, errno=0,Success, ssl=no valid cert.
2025-06-03 13:44:48 FGFMs(probing...): Connection was interrupted. sockevents[-1] sslerr[-6]
2025-06-03 13:44:48 FGFMs(probing...): Cleanup session 0x55ae63ac2280, 1.1.1.1.
2025-06-03 13:44:48 FGFMs(probing...): Destroy session 0x55ae63ac2280, 1.1.1.1.
2025-06-03 13:45:02 __start_tunnel_by_devlist,336: devid=265, admin=admin.

Scenario 3: When adding a new FortiGate to FortiManager, an error may be encountered stating 'serial number (fgvmultm12345678) in 'get' message doesn't match the subject CN (test.lab.com) in peer's certificate' on FortiManager version 7.4.6 with custom certificates. This error occurs because the serial number is missing in the FortiGate certificate's SAN.

In FortiManager v7.4.6, the 'fgfm-peercert-withoutsn' setting has been removed, so the verification cannot be disabled. Ensure that the FortiGate certificate contains the serial number in either the CN or SAN. Note that FortiManager expects the serial number in the CN of the FortiGate certificate on FortiManager 7.4.6. This behavior is fixed in version FortiManager 7.4.7, where a certificate can be created with the serial number in the SAN, and it should work.

To validate that on FortiGate, go to System -> Certificates, review the subject of the Certificate 'Fortinet_Factory' and ensure that the CN is showing the serial number of the FortiGate

If the CN is showing as "FortiGate" instead, then run the below command in FortiGate CLI :

exec vm-license

Note:

If FortiManager is configured to use fgfm-peercert-withoutsn on v 7.4.5 (or older) and an upgrade is made to v7.4.6, FortiManager will encounter the same error in the debugs after the upgrade, because fgfm-peercert-withoutsn is removed and not available on v7.4.6: Release Notes:7.4.6 Special Notices

Debugs:

2025-06-03 14:20:42 FGFMs(probing...): SAN: <DNS:Test.lab.com>
2025-06-03 14:20:42 FGFMs(probing...): __get_handler:1060: sn doesn't matche
2025-06-03 14:20:42 FGFMs(probing...): __get_handler:1088: serial number (FGVMULTM12345678 in 'get' message doesn't match the subject CN (test.lab.com) in peer's certificate.

Troubleshooting Tip: Common issues while adding FortiGate to FortiManager, and their solutions

You are leaving our website