FORTI-40F # execute fortiguard-log login xxxMAILxxx xxxPWDxxx
2024-03-13 12:52:46 [643] fds_https_stop_server: 173.243.143.6:443
2024-03-13 12:52:46 [205] __ssl_data_ctx_free: Done
2024-03-13 12:52:46 [1047] ssl_free: Done
2024-03-13 12:52:46 [197] __ssl_cert_ctx_free: Done
2024-03-13 12:52:46 [1057] ssl_ctx_free: Done
2024-03-13 12:52:46 [1038] ssl_disconnect: Shutdown
2024-03-13 12:52:46 [554] fds_https_timeout: Connection timed out, svr=Forticlient-svr
2024-03-13 12:52:46 [246] fds_svr_default_on_error: Forticlient-svr: ip=173.243.143.6:443, reason=4
2024-03-13 12:52:46 [263] fds_svr_default_on_error: Forticlient-svr: Conn failes 1/2
2024-03-13 12:52:46 [145] fds_svr_default_pickup_server: Forticlient-svr: [2620:101:9000:143:173:243:143:6]:443
Failed: FGT internal error(-1)
Command fail. Return code 5
FORTI-40F # 2024-03-13 12:52:56 [643] fds_https_stop_server: [2620:101:9000:143:173:243:143:6]:443
2024-03-13 12:52:56 [145] fds_svr_default_pickup_server: Forticlient-svr: 173.243.143.6:443
2024-03-13 12:52:56 [589] fds_https_start_server: server: 173.243.143.6:443
2024-03-13 12:52:56 [590] fds_https_start_server: source-ip: 0.0.0.0:0
2024-03-13 12:52:56 [114] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
2024-03-13 12:52:56 [482] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
2024-03-13 12:52:56 [488] ssl_ctx_use_builtin_store: Enable CRL checking.
2024-03-13 12:52:56 [495] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
2024-03-13 12:52:56 [767] ssl_ctx_create_new: SSL CTX is created
2024-03-13 12:52:56 [794] ssl_new: SSL object is created
2024-03-13 12:52:56 [86] https_create: proxy server 0.0.0.0 port:0
2024-03-13 12:52:56 [206] forticldd_add_hostname_check: Add hostname checking 'globalfctupdate.fortinet.net'
2024-03-13 12:52:56 [573] __tcps_tcp_start_connect: sockfd=11, server=173.243.143.6:443, use_harelay=0, use_proxy=0
2024-03-13 12:52:56 [577] __tcps_tcp_start_connect: ret=-1
2024-03-13 12:52:56 [582] __tcps_tcp_start_connect: errno=115(Operation now in progress)
2024-03-13 12:52:56 [870] tcps_connect: 173.243.143.6:443 -- ret 0, state 0x0(Intialized) -> 0x11(Connecting)
FORTI-40F# execute ping service.fortiguard.net
PING guard.fortinet.net (12.34.97.71): 56 data bytes
--- guard.fortinet.net ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
Consider all fortiguard pool /24 are staticly routed to internet connection, and other devices can reach fortiguard domain with same routing. DNS is set to 8.8.8.8.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If all is similar for all FortiGates then I think you should check the WAN connection. Probably the issue is caused by the ISP.
Is it possible to try with another WAN link during maintenance window? (try with 4G or other ISP).
I can see you can't ping FortiGuard, while you can resolve from 8.8.8.8.
Can you share the following:
config system fortiguard
get source-ip
end
config system dns
get source-ip
end
config log fortiguard setting
get source-ip
end
Consider identical route and config is set for another 100 devices without issue reported or identified. I've a quad zero route to a vpn connection, and several static routes poiting fortiguard public ip to internet, including ip of fortiguard 12.34.97.71, so that way this device similar than another devices with same routing should reach fortiguard domain. Just 3 firewall policies are configured, two for vpn traffic in-out and the default for lan going to internet. I can´t ping anything outside the vpn! minimal issue =V
I removed by cli using the unset fortigate account id and try it again but same result. Following output shows requested
fortiguard source-ip: 0.0.0.0
dns source-ip: 0.0.0.0
log fortiguard source-ip: 0.0.0.0
Also output for command "execute fortiguard-log domain" should be
EUROPE
US
GLOBAL
but for this forti 40F device is:
execute fortiguard-log domain
Failed
Command fail. Return code 5
If all is similar for all FortiGates then I think you should check the WAN connection. Probably the issue is caused by the ISP.
Is it possible to try with another WAN link during maintenance window? (try with 4G or other ISP).
Created on 03-14-2024 11:48 AM Edited on 03-14-2024 11:48 AM
you were right, after shutdown the interface and enable backup link it worked properly. Tyv @AEK
I booted the device and now I can manage the device through fortiguard.net, but somehow I can´t reach another destination than vpn tunnel
Hello salassilvaj,
There might be a connectivity issue between your FortiGate device and the FortiGuard server. Here are some steps you can take to troubleshoot and potentially resolve the issue:
Check Internet Connectivity: Ensure that your FortiGate device has proper internet connectivity. You can try to ping other external servers or perform a traceroute to diagnose any network connectivity issues.
Check Firewall Policies: Make sure that there are no firewall policies blocking traffic from your FortiGate device to the FortiGuard servers. Review your firewall policies to ensure that traffic to the necessary destinations and ports is allowed.
Check Routing Configuration: Verify that the routing configuration on your FortiGate device is correct and that traffic destined for the FortiGuard servers is being routed properly. Ensure that the static routes for the FortiGuard pool are configured correctly.
Check DNS Resolution: Confirm that DNS resolution is working properly on your FortiGate device. You mentioned that the DNS is set to 8.8.8.8, but make sure that DNS resolution for the FortiGuard domain (service.fortiguard.net
) is resolving correctly.
Check Time and Date Settings: Ensure that the time and date settings on your FortiGate device are accurate. SSL connections can fail if the device's clock is not synchronized with the correct time.
Check for Firmware Updates: Ensure that your FortiGate device is running the latest firmware version. Sometimes, firmware bugs or compatibility issues can cause connectivity problems.
Contact Fortinet Support: If the issue persists after performing the above steps, consider reaching out to Fortinet support for further assistance. They can provide specialized support and troubleshooting steps tailored to your specific setup.
By systematically troubleshooting these areas, you should be able to identify and resolve the connectivity issue between your FortiGate device and the FortiGuard server.
1 and 3. Routing is configured fine, but I can´t reach internet anything outside vpn,
2. Firewall policies are similar to another device without any issue
4. There is no resolution simimar reply than point #1
5. Time is set and correct
6. Is the last available free by remote from Forticloud 7.4.0
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.