FortiGate-VM evaluation license register issues "curl forticare failed, 43"

jejun · ‎06-15-2023

FGT_VM64_KVM-v7.4.0.F-build2360-FORTINET.out.kvm

I downloaded this, but I can't register its evaluation license.

I got a message like the one below.

Requesting FortiCare Trial license, proxy:(null)
curl forticare failed, 43

I couldn't find the meaning of the error phrase anywhere.
Please help me.

Regards

-Jejun

abarushka · ‎06-15-2023

Hello,

I would check whether DNS is working properly (i.e. you can ping other web-sites from FortiGate) and whether FortiGate has access to Internet.

FortiGate

jejun · ‎06-15-2023

I checked.

exec ping 8.8.8.8
exec ping update.fortiguard.net
exec ping service.fortiguard.net

It worked. but It still has problems.

Requesting FortiCare Trial license, proxy:(null)
curl forticare failed, 43

abarushka · ‎06-16-2023

Hello,

You may consider to run the commands below and check the output:

diagnose debug application update -1
diagnose debug enable

execute update-now

FortiGate

jejun · ‎06-17-2023

FortiGate-VM64-KVM # execute date
current date is: 2023-06-17

FortiGate-VM64-KVM # execute time
current time is: 08:12:04
last ntp sync:Sat Jun 17 08:09:01 2023

FortiGate-VM64-KVM # exec ping update.fortiguard.net
PING fds1.fortinet.com (173.243.138.66): 56 data bytes
64 bytes from 173.243.138.66: icmp_seq=0 ttl=128 time=146.0 ms
64 bytes from 173.243.138.66: icmp_seq=1 ttl=128 time=146.0 ms
^C
--- fds1.fortinet.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 146.0/146.0/146.0 ms

FortiGate-VM64-KVM # exec ping service.fortiguard.net
PING guard.fortinet.net (173.243.138.194): 56 data bytes
64 bytes from 173.243.138.194: icmp_seq=0 ttl=128 time=144.2 ms
64 bytes from 173.243.138.194: icmp_seq=1 ttl=128 time=144.7 ms
^C
--- guard.fortinet.net ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 144.2/144.4/144.7 ms

FortiGate-VM64-KVM # exec ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=128 time=36.8 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=128 time=52.5 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 36.8/44.6/52.5 ms

FortiGate-VM64-KVM # Requesting FortiCare Trial license, proxy:(null)
curl forticare failed, 43

FortiGate-VM64-KVM #
FortiGate-VM64-KVM # diagnose debug enable

FortiGate-VM64-KVM # diagnose debug application update -1
Debug messages will be on for 30 minutes.

FortiGate-VM64-KVM # exec update-now

FortiGate-VM64-KVM # Requesting FortiCare Trial license, proxy:(null)
ssl_connect_fds[407]-Poll timeout
[205] __ssl_data_ctx_free: Done
[1047] ssl_free: Done
[197] __ssl_cert_ctx_free: Done
[1057] ssl_ctx_free: Done
upd_comm_connect_fds[478]-Failed SSL connect
do_setup[361]-Failed setup
upd_daemon[2241]-Disabling remaining actions 90
upd_act_report_fmg_list[826]-Starting report FMG LIST.
upd_fds_load_default_server6[1046]-Resolve and add fds usupdate.fortiguard.net ipv6 addre ss failed.
pack_obj[186]-Packing obj=Protocol=3.4|Command=FDNSetup|Firmware=FGVMK6-FW-7.02-1396|Seri alNumber=FGVMEV3M9Z9NZF61|Language=en-US|TimeZone=-7|Sequence=0|HAList=FGVMEV3M9Z9NZF61|A uthList=
upd_comm_connect_fds[459]-Trying FDS 12.34.97.16:443
[114] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root c a Fortinet_CA, idx 0 (default)
[482] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
[488] ssl_ctx_use_builtin_store: Enable CRL checking.
[495] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
[767] ssl_ctx_create_new: SSL CTX is created
[794] ssl_new: SSL object is created
[184] ssl_add_ftgd_hostname_check: Add hostname checking 'usupdate.fortiguard.net'...
ssl_connect_fds[407]-Poll timeout
[205] __ssl_data_ctx_free: Done
[1047] ssl_free: Done
[197] __ssl_cert_ctx_free: Done
[1057] ssl_ctx_free: Done
upd_comm_connect_fds[478]-Failed SSL connect
upd_comm_connect_fds[459]-Trying FDS 208.184.237.66:443
[114] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[482] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
[488] ssl_ctx_use_builtin_store: Enable CRL checking.
[495] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
[767] ssl_ctx_create_new: SSL CTX is created
[794] ssl_new: SSL object is created
[184] ssl_add_ftgd_hostname_check: Add hostname checking 'usupdate.fortiguard.net'...
ssl_connect_fds[407]-Poll timeout
[205] __ssl_data_ctx_free: Done
[1047] ssl_free: Done
[197] __ssl_cert_ctx_free: Done
[1057] ssl_ctx_free: Done
upd_comm_connect_fds[478]-Failed SSL connect
do_setup[357]-Starting SETUP
upd_fds_load_default_server6[1046]-Resolve and add fds usupdate.fortiguard.net ipv6 address failed.
upd_comm_connect_fds[459]-Trying FDS 12.34.97.16:443
[114] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[482] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
[488] ssl_ctx_use_builtin_store: Enable CRL checking.
[495] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
[767] ssl_ctx_create_new: SSL CTX is created
[794] ssl_new: SSL object is created
[184] ssl_add_ftgd_hostname_check: Add hostname checking 'usupdate.fortiguard.net'...
Timeout

FortiGate-VM64-KVM login: curl forticare failed, 28

Regards

-Jejun

abarushka · ‎06-17-2023

Hello Jejun,

ICMP connectivity and DNS resolution look good. I notice that FortiGate cannot establish TLS session with ForiGuard:

upd_comm_connect_fds[478]-Failed SSL connect

Is there is any device between FortiGate and FortiGuard which does deep inspection? Moreover, I would recommend to sniff the traffic towards FortiGuard "diagnose sniffer packet any 'host 12.34.97.16' 6 0 a" and convert it to pcap file.

FortiGate

jejun · ‎06-18-2023

FortiGate-VM64-KVM # exec ping update.fortiguard.net
PING fds1.fortinet.com (208.184.237.66): 56 data bytes
64 bytes from 208.184.237.66: icmp_seq=0 ttl=128 time=142.9 ms
64 bytes from 208.184.237.66: icmp_seq=1 ttl=128 time=145.7 ms
^C
--- fds1.fortinet.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 142.9/144.3/145.7 ms

FortiGate-VM64-KVM # exec ping service.fortiguard.net
PING guard.fortinet.net (12.34.97.71): 56 data bytes
64 bytes from 12.34.97.71: icmp_seq=0 ttl=128 time=197.7 ms
64 bytes from 12.34.97.71: icmp_seq=1 ttl=128 time=195.9 ms
^C
--- guard.fortinet.net ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 195.9/196.8/197.7 ms

FortiGate-VM64-KVM # exec ping usupdate.fortiguard.net
PING usfds1.fortinet.com (12.34.97.16): 56 data bytes
64 bytes from 12.34.97.16: icmp_seq=0 ttl=128 time=194.9 ms
64 bytes from 12.34.97.16: icmp_seq=1 ttl=128 time=194.9 ms
^C
--- usfds1.fortinet.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 194.9/194.9/194.9 ms

FortiGate-VM64-KVM # exec ping 12.34.97.16
PING 12.34.97.16 (12.34.97.16): 56 data bytes
64 bytes from 12.34.97.16: icmp_seq=0 ttl=128 time=198.2 ms
64 bytes from 12.34.97.16: icmp_seq=1 ttl=128 time=195.6 ms
^C
--- 12.34.97.16 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 195.6/196.9/198.2 ms

FortiGate-VM64-KVM # exec ping 208.184.237.66
PING 208.184.237.66 (208.184.237.66): 56 data bytes
64 bytes from 208.184.237.66: icmp_seq=0 ttl=128 time=144.8 ms
64 bytes from 208.184.237.66: icmp_seq=1 ttl=128 time=143.9 ms
^C
--- 208.184.237.66 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 143.9/144.3/144.8 ms

FortiGate-VM64-KVM # diagnose sniffer packet any 'host 12.34.97.16' 4
Using Original Sniffing Mode
interfaces=[any]
filters=[host 12.34.97.16]
Requesting FortiCare Trial license, proxy:(null)
12.648055 port1 out 192.168.21.10.3882 -> 12.34.97.16.443: fin 688041116 ack 578499204
12.649442 port1 in 12.34.97.16.443 -> 192.168.21.10.3882: ack 688041117
12.847316 port1 in 12.34.97.16.443 -> 192.168.21.10.3882: psh fin 578501605 ack 688041117
12.847433 port1 out 192.168.21.10.3882 -> 12.34.97.16.443: rst 688041117
14.666733 port1 out 192.168.21.10.3928 -> 12.34.97.16.443: syn 2792084773
14.881426 port1 in 12.34.97.16.443 -> 192.168.21.10.3928: syn 1973491655 ack 2792084774
14.881515 port1 out 192.168.21.10.3928 -> 12.34.97.16.443: ack 1973491656
14.882829 port1 out 192.168.21.10.3928 -> 12.34.97.16.443: psh 2792084774 ack 1973491656
14.883750 port1 in 12.34.97.16.443 -> 192.168.21.10.3928: ack 2792084947
33.601126 port1 out 192.168.21.10.3932 -> 12.34.97.16.443: syn 1551951859
33.821314 port1 in 12.34.97.16.443 -> 192.168.21.10.3932: syn 1572495172 ack 1551951860
33.821440 port1 out 192.168.21.10.3932 -> 12.34.97.16.443: ack 1572495173
33.832202 port1 out 192.168.21.10.3932 -> 12.34.97.16.443: psh 1551951860 ack 1572495173
33.832715 port1 in 12.34.97.16.443 -> 192.168.21.10.3932: ack 1551952033
curl forticare failed, 43

FortiGate-VM64-KVM # diagnose sniffer packet any 'host 208.184.237.66' 4
Using Original Sniffing Mode
interfaces=[any]
filters=[host 208.184.237.66]
Requesting FortiCare Trial license, proxy:(null)
8.648300 port1 in 208.184.237.66.443 -> 192.168.21.10.10532: psh fin 1806447244 ack 6028528 74
8.648392 port1 out 192.168.21.10.10532 -> 208.184.237.66.443: ack 1806444843
29.822201 port1 out 192.168.21.10.10538 -> 208.184.237.66.443: fin 3902104475 ack 421810570
29.823717 port1 in 208.184.237.66.443 -> 192.168.21.10.10538: ack 3902104476
29.977878 port1 in 208.184.237.66.443 -> 192.168.21.10.10538: psh fin 421812971 ack 3902104476
29.977970 port1 out 192.168.21.10.10538 -> 208.184.237.66.443: rst 3902104476
34.562277 port1 in 208.184.237.66.443 -> 192.168.21.10.10458: rst 1867385272 ack 2992064321
68.659526 port1 out 192.168.21.10.10532 -> 208.184.237.66.443: fin 602852874 ack 1806444843
68.659984 port1 in 208.184.237.66.443 -> 192.168.21.10.10532: ack 602852875
201.130892 port1 out 192.168.21.10.10578 -> 208.184.237.66.443: syn 2264122658
201.293434 port1 in 208.184.237.66.443 -> 192.168.21.10.10578: syn 1533365585 ack 2264122659
201.293529 port1 out 192.168.21.10.10578 -> 208.184.237.66.443: ack 1533365586
201.326789 port1 out 192.168.21.10.10578 -> 208.184.237.66.443: psh 2264122659 ack 1533365586
201.327136 port1 in 208.184.237.66.443 -> 192.168.21.10.10578: ack 2264122832
261.445929 port1 in 208.184.237.66.443 -> 192.168.21.10.10578: psh fin 1533367987 ack 2264122832
261.446552 port1 out 192.168.21.10.10578 -> 208.184.237.66.443: ack 1533365586
276.264190 port1 in 208.184.237.66.443 -> 192.168.21.10.10494: rst 1129937484 ack 4177346935
curl forticare failed, 28

Regards

-Jejun

Tonysa · ‎06-15-2023

Most likely, you downloaded the FF-VM rather than the FG-VM.

You can download it from WeTransfer using the link provided below.

https://we.tl/t-cLaVvpUFu7

jejun · ‎06-17-2023

I downloaded the FGT file.

FGT_VM64_KVM-v7.4.0.F-build2360-FORTINET.out.kvm

and

The hostname of the command prompt is also "FortiGate-VM64-KVM #".

Regards

-Jejun

Dongkwan · ‎06-16-2023

The below link would be helpful for this issue.

https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/441460

Kwan

FortiGate-VM evaluation license register issues "curl forticare failed, 43"

Nominate a Forum Post for Knowledge Article Creation