This article describes a scenario when FortiVoice can not join the Root Security Fabric FortiGate causing a certificate validation error.
Scope
FortiVoice 7.0.5.
Solution
FortiVoice is configured to join the Security Fabric root FortiGate.
config system csf set status enable set upstream-ip 10.22.5.1 <-FortiGate set upstream-port 8013 set configuration-sync local set management-ip 10.22.5.6 <-FortiVoice set management-port 443 unset group-name unset group-password end
In the FortiGate, running the csf debug shows the error 'The certificate CN (FortiVoiceEnterprise) doesn't match the serial number'.
<18823-M> 04 nstd_handle_hello_pkt()-345: <18823-M> 10000000 nstd_handle_hello_pkt()-387: downstream:10.22.5.6 auth by cert:N <18823-M> 10000000 nstd_handle_hello_pkt()-401: SN FO100E2TX100000465 copied from hello packet. <18823-M> 04 nstd_update_fgt_interface()-303: <18823-M> 800 handle_connection_event_auth_plugin()-3101: <18823-M> 400 nstd_check_certificate()-2255: The certificate CN (FortiVoiceEnterprise) doesn't match the Serial number (FO100E2TX100000465) sent by 10.22.5.6:52319 <18823-M> 400 handle_connection_event_auth_plugin()-3109: SSL verification for 10.22.5.6:52319 failed. <18823-M> 40000 nstd_sync_generic_connection_event()-1273: <18823-M> 100 handle_connection_event_tree_updater()-958: <18823-M> 04 nstd_downstream_fgt_info_update_fn()-1646: <18823-M> 08 nstd_downstream_fgt_info_update_fn()-1651: scheduled downstream info updater to run in 3 seconds
The behavior could be matching bug 1084189, where it is described as FortiVoice being unable to join FortiGate fabric root using a certificate-based authentication request method.
This is solved in FortiVoice version 7.2.0. If the behavior remains after the upgrade to this version, open a TAC ticket for further analysis.
