- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FortiGates unable to connect to FAZ after upgrade
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGates unable to connect to FAZ after upgrade
Hello,
I recently upgraded a customers FAZ-200F from version 6.4.9 to version 7.0.10 and now none of the FortiGates will connect. All of the FortiGates are on version 7.0.12 which looks to be supported by FAZ on 7.0.10 per the matrix.
The FAZ had support expire on it so I cannot contact support at the moment unfortunately which is why I am coming here.
When I run log fortianalyzer test-connectivity on the FortiGate I get 'Failed to get FAZ's status. Invalid error number (0).(0)' which looks like it's pointing to a certificate error. I verified the FGTs and FAZ have matching certificates. I tried importing the local FAZ cert onto a FGT with no luck.
When I run 'diagnose debug app oftpd 255' on the FAZ I get the following output:
2023-12-19 13:43:57 [OFTP_SSL_CTX_dft:1237 10.112.15.50] dft-idx=0 inited=1.
2023-12-19 13:43:57 [__create_ssl_context:1663 10.112.15.50] SSL socket[72] pid[29164] ssl[0x18427b0] SSL_new() success.
2023-12-19 13:43:57 [__SSL_info_callback:299] before SSL initialization
2023-12-19 13:43:57 [__SSL_info_callback:299] before SSL initialization
2023-12-19 13:43:57 [server_sni_cb:1252] server_sni_cb(): sni='0x11e47f0/fortinet-ca2.fortinet.com'
2023-12-19 13:43:57 [server_sni_cb:1266] -- SSL server got SNI: 'fortinet-ca2.fortinet.com', SSL_CTX located: 0x120fda0, idx=0
2023-12-19 13:43:57 [__SSL_info_callback:299] SSLv3/TLS read client hello
2023-12-19 13:43:57 [__SSL_info_callback:299] SSLv3/TLS write server hello
2023-12-19 13:43:57 [__SSL_info_callback:299] SSLv3/TLS write change cipher spec
2023-12-19 13:43:57 [__SSL_info_callback:299] TLSv1.3 write encrypted extensions
2023-12-19 13:43:57 [__SSL_info_callback:299] SSLv3/TLS write certificate request
2023-12-19 13:43:57 [__SSL_info_callback:299] SSLv3/TLS write certificate
2023-12-19 13:43:57 [__SSL_info_callback:299] TLSv1.3 write server certificate verify
2023-12-19 13:43:57 [__SSL_info_callback:299] SSLv3/TLS write finished
2023-12-19 13:43:57 [__SSL_info_callback:299] TLSv1.3 early data
2023-12-19 13:43:57 [__SSL_info_callback:330] TLSv1.3 early data
2023-12-19 13:43:57 [OFTP_try_accept_SSL_connection:1843 10.112.15.50] SSL accept failed
2023-12-19 13:43:57 [OFTP_ssl_shutdown:1976 10.112.15.50] SSL pid[29164] ssl[0x16e2910] shuting down sockfd[28] ip[10.112.15.50] connected[1]
2023-12-19 13:43:57 [OFTP_ssl_shutdown:1989 10.112.15.50] SSL_shutdown Error. SSL_get_error[1]
2023-12-19 13:43:57 [OFTP_ssl_shutdown:1992] Error error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
2023-12-19 13:43:57 [oftpd_close_session:847 10.112.15.50] Client connection closed. Reason 14(SSL setup failure)
Everything looks to be going okay until this error '2023-12-19 13:43:57 [OFTP_try_accept_SSL_connection:1843 10.112.15.50] SSL accept failed.'
Does anyone have any tips on what I could check/verify regarding this? I have gone through multiple KBs with no luck. I can't seem to find anything online regarding that OFTP error I am seeing in the deubgs.
Thanks!
Solved! Go to Solution.
Labels:
- Labels:
-
FortiAnalyzer
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It ended being MTU, I didn't see that part in the KB.
I lowered the FAZ MTU to 1400 and all of my FGTs connected, weird. MTUs have always been set to default before the upgrade so not sure what happened.
- « Previous
-
- 1
- 2
- Next »
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I saw the MTU step last night which resolved my issue.
Did something change from 6.4.9 to 7.0 that would have affected MTU?
Thanks
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- FortiGate upgrade using FortiManager progress stuck... 131 Views
- Can FortiNAC identify where I connect... 188 Views
- SSL VPN access only VLAN hosts... 492 Views
- 2FA via E-Mail does not work... 262 Views
- what is the best practices for... 158 Views
Labels
-
FortiGate
7,164 -
FortiClient
1,415 -
5.2
801 -
5.4
639 -
FortiManager
620 -
FortiAnalyzer
456 -
6.0
416 -
FortiAP
376 -
FortiSwitch
374 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
FortiNAC
128 -
6.4
128 -
FortiGuard
115 -
IPsec
108 -
SSL-VPN
105 -
FortiGateCloud
97 -
FortiSIEM
93 -
FortiCloud Products
89 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
65 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
49 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
39 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiSandbox
34 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
LDAP
19 -
FortiPortal
18 -
Interface
18 -
FortiSwitch v6.2
17 -
Routing
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
FortiCASB
12 -
Application control
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
SSL SSH inspection
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiAP profile
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
Automation
6 -
IPS signature
5 -
Packet capture
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
Fortinet Engage Partner Program
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1063 | |
| 889 | |
| 527 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.