Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
sachitdas_FTNT
Staff
Staff

Created on ‎07-31-2024 09:05 AM Edited on ‎04-29-2025 11:11 AM By Community Manager

Article Id 329592

Troubleshooting Tip: REST API login failed with error 60

Description This article describes how to resolve the 'API error 60' message, which prevents pushing configuration from FortiGate to a managed FortiSwitch.
Scope

FortiGate v7.x and managed FortiSwitch v7.x.
Solution

After importing a local certificate on the FortiSwitch, the following sync error may appear on the FortiGate:

execute switch-controller get-sync-status all
Managed-devices in current vdom root:

FortiLink interface : fortilink
SWITCH-ID (SERIAL) STATUS CONFIG MAC-SYNC HTTP-UPGRADE
Switch (S148FFTxxxxx) Up Error Error -

[1]
 command: https://192.168.x.x:443/api/v2/login
 payload:
 result : REST API login failed with error 60


Due to the error, the config does not get pushed from FortiGate to the managed FortiSwitch.

 

Follow these steps to rectify the error:

 

  1. Upload the CA on FortiGate:

 

FortiGate-60F # execute vpn certificate ca import tftp /temp/zzzz/zzzzrootCA.crt <tftp ip address>
y
Done.

show vpn certificate ca CA_Cert_1
config vpn certificate ca
    edit "CA_Cert_1"
        set range global
    next
end

 

 

  1. Change the tunnel mode to 'moderate'. Refer to Certificates

 

show switch-controller system
config switch-controller system
    set tunnel-mode moderate
end

 

 

  1. On FortiSwitch, import the local cert:

 

execute system certificate local import tftp <file-name> <tftp_ip>

 

 

For example:

 

execute system certificate local import tftp temp/xxxx/xxxx074.p12 10.105.129.1 p12 fortinet123

 

Show the certificate:

show system certificate local
config system certificate local

edit "xxxx074"

set password ENC wuPp7AGYkncE2QblJ6pjdyed1MfVG+dVhJ6sy9aDP+B5

0ykGwPsa5R7DcKrd6

b2SfhidSZg1vN9NLlssOHthDyCWAfzpx6MNRo9j8ojJY0FsU1kTk/r/71KGva5RldCZODJBII5FtN5pvJhj8znzythf8XX8O/UwWzbGEDJ+H4uOUnfE

next

end

config system web

set https-server-cert "xxxx074"

end

 

The changes to tunnel mode strict is by design, and there is no plan to change it. The description of the tunnel mode is as follows:

 

  • compatible: Least restrictive. Supports the lowest levels of security but the highest compatibility between all FortiSwitch and FortiGate devices. 3rd party certificates permitted.
  • moderate: Moderate level of security. 3rd party certificates permitted.
  • strict: The highest level of security requirements. If enabled, the FortiGate device follows the same security mode requirements as in FIPS/CC mode.

To use tunnel mode strictly, requirement as in FIPS/CC mode needs to be followed. FIPS/CC (aka FIPS 140-2 & Common Criteria) is a combination certification program for validating cryptographic modules to a certain government standard (FIPS 140-2) as well as validating compliance with international standards for computer security certification.  It is usually used in government/federal customer.
2736
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.