| Description | This article describes how to troubleshoot when the FortiWeb is throwing an old Certificate to the client, even though the server policy is updated with a new Certificate. |
| Scope | FortiWeb. |
| Solution |
This can happen in case the Policy changes were not loaded properly.
Note: Perform these steps in off-hours, as it can impact production.
diagnose sys top | grep proxyd 24137 1 root S 2702m 27.4 0 31.1 /bin/proxyd
After getting the proxyd PID, use the following command to kill the process :
diagnose sys kill 11 <PID proxyd>
If there are multiple PIDs of proxyd, use the following command:
diagnose sys killall 11 proxyd
If the above 2 steps do not resolve the issue, collect data by running below commands:
diagnose debug proxy log 7 diagnose debug proxy cmdb-global 7 diagnose debug proxy cmdb-policy 7 diagnose debug proxy config-policy 7 diagnose debug proxy config-global 7 diagnose debug proxy thread-reload 7 diagnose debug proxy thread-work 7 diagnose debug enable
At the same time, capture packets on the FortiWeb as well for the particular client IP, server IP: Packet capture via Web UI
Use this information and contact Fortinet Support, so further analysis of logs can be done. |
