Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
salassilvaj
New Contributor III

Fortigate 40F fortiguard-log issue reported

Following issue shows a wrong connection to Fortiguard-log server, password is correct and worked properly with another Fortigate device, diagnose log is activate but I can't connect to Forticloud: 

 

FORTI-40F # execute fortiguard-log login xxxMAILxxx xxxPWDxxx
2024-03-13 12:52:46 [643] fds_https_stop_server: 173.243.143.6:443
2024-03-13 12:52:46 [205] __ssl_data_ctx_free: Done
2024-03-13 12:52:46 [1047] ssl_free: Done
2024-03-13 12:52:46 [197] __ssl_cert_ctx_free: Done
2024-03-13 12:52:46 [1057] ssl_ctx_free: Done
2024-03-13 12:52:46 [1038] ssl_disconnect: Shutdown
2024-03-13 12:52:46 [554] fds_https_timeout: Connection timed out, svr=Forticlient-svr
2024-03-13 12:52:46 [246] fds_svr_default_on_error: Forticlient-svr: ip=173.243.143.6:443, reason=4
2024-03-13 12:52:46 [263] fds_svr_default_on_error: Forticlient-svr: Conn failes 1/2
2024-03-13 12:52:46 [145] fds_svr_default_pickup_server: Forticlient-svr: [2620:101:9000:143:173:243:143:6]:443
Failed: FGT internal error(-1)
Command fail. Return code 5

FORTI-40F # 2024-03-13 12:52:56 [643] fds_https_stop_server: [2620:101:9000:143:173:243:143:6]:443
2024-03-13 12:52:56 [145] fds_svr_default_pickup_server: Forticlient-svr: 173.243.143.6:443
2024-03-13 12:52:56 [589] fds_https_start_server: server: 173.243.143.6:443
2024-03-13 12:52:56 [590] fds_https_start_server: source-ip: 0.0.0.0:0
2024-03-13 12:52:56 [114] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
2024-03-13 12:52:56 [482] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
2024-03-13 12:52:56 [488] ssl_ctx_use_builtin_store: Enable CRL checking.
2024-03-13 12:52:56 [495] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
2024-03-13 12:52:56 [767] ssl_ctx_create_new: SSL CTX is created
2024-03-13 12:52:56 [794] ssl_new: SSL object is created
2024-03-13 12:52:56 [86] https_create: proxy server 0.0.0.0 port:0
2024-03-13 12:52:56 [206] forticldd_add_hostname_check: Add hostname checking 'globalfctupdate.fortinet.net'
2024-03-13 12:52:56 [573] __tcps_tcp_start_connect: sockfd=11, server=173.243.143.6:443, use_harelay=0, use_proxy=0
2024-03-13 12:52:56 [577] __tcps_tcp_start_connect: ret=-1
2024-03-13 12:52:56 [582] __tcps_tcp_start_connect: errno=115(Operation now in progress)
2024-03-13 12:52:56 [870] tcps_connect: 173.243.143.6:443 -- ret 0, state 0x0(Intialized) -> 0x11(Connecting)

 

 

FORTI-40F# execute ping service.fortiguard.net
PING guard.fortinet.net (12.34.97.71): 56 data bytes
--- guard.fortinet.net ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

 

Consider all fortiguard pool /24 are staticly routed to internet connection, and other devices can reach fortiguard domain with same routing. DNS is set to 8.8.8.8.

Jonathan Salas
Jonathan Salas
1 Solution
AEK

If all is similar for all FortiGates then I think you should check the WAN connection. Probably the issue is caused by the ISP.

Is it possible to try with another WAN link during maintenance window? (try with 4G or other ISP).

AEK

View solution in original post

AEK
7 REPLIES 7
AEK
SuperUser
SuperUser

I can see you can't ping FortiGuard, while you can resolve from 8.8.8.8.

Can you share the following:

config system fortiguard
get source-ip
end

config system dns
get source-ip
end

config log fortiguard setting
get source-ip
end

 

AEK
AEK
salassilvaj
New Contributor III

Consider identical route and config is set for another 100 devices without issue reported or identified. I've a quad zero route to a vpn connection, and several static routes poiting fortiguard public ip to internet, including ip of fortiguard 12.34.97.71, so that way this device similar than another devices with same routing should reach fortiguard domain. Just 3 firewall policies are configured, two for vpn traffic in-out and the default for lan going to internet. I can´t ping anything outside the vpn! minimal issue =V

I removed by cli using the unset fortigate account id and try it again but same result. Following output shows requested

fortiguard source-ip: 0.0.0.0

dns source-ip: 0.0.0.0

log fortiguard source-ip: 0.0.0.0

 

Also output for command "execute fortiguard-log domain" should be

EUROPE
US
GLOBAL

but for this forti 40F device is:

execute fortiguard-log domain
Failed
Command fail. Return code 5

Jonathan Salas
Jonathan Salas
AEK

If all is similar for all FortiGates then I think you should check the WAN connection. Probably the issue is caused by the ISP.

Is it possible to try with another WAN link during maintenance window? (try with 4G or other ISP).

AEK
AEK
salassilvaj
New Contributor III

you were right, after shutdown the interface and enable backup link it worked properly. Tyv @AEK 

Jonathan Salas
Jonathan Salas
salassilvaj
New Contributor III

I booted the device and now I can manage the device through fortiguard.net, but somehow I can´t reach another destination than vpn tunnel

Jonathan Salas
Jonathan Salas
Durga_Ashwath

Hello salassilvaj,

 There might be a connectivity issue between your FortiGate device and the FortiGuard server. Here are some steps you can take to troubleshoot and potentially resolve the issue:

  1. Check Internet Connectivity: Ensure that your FortiGate device has proper internet connectivity. You can try to ping other external servers or perform a traceroute to diagnose any network connectivity issues.

  2. Check Firewall Policies: Make sure that there are no firewall policies blocking traffic from your FortiGate device to the FortiGuard servers. Review your firewall policies to ensure that traffic to the necessary destinations and ports is allowed.

  3. Check Routing Configuration: Verify that the routing configuration on your FortiGate device is correct and that traffic destined for the FortiGuard servers is being routed properly. Ensure that the static routes for the FortiGuard pool are configured correctly.

  4. Check DNS Resolution: Confirm that DNS resolution is working properly on your FortiGate device. You mentioned that the DNS is set to 8.8.8.8, but make sure that DNS resolution for the FortiGuard domain (service.fortiguard.net) is resolving correctly.

  5. Check Time and Date Settings: Ensure that the time and date settings on your FortiGate device are accurate. SSL connections can fail if the device's clock is not synchronized with the correct time.

  6. Check for Firmware Updates: Ensure that your FortiGate device is running the latest firmware version. Sometimes, firmware bugs or compatibility issues can cause connectivity problems.

  7. Contact Fortinet Support: If the issue persists after performing the above steps, consider reaching out to Fortinet support for further assistance. They can provide specialized support and troubleshooting steps tailored to your specific setup.

By systematically troubleshooting these areas, you should be able to identify and resolve the connectivity issue between your FortiGate device and the FortiGuard server.

salassilvaj

1 and 3. Routing is configured fine, but I can´t reach internet anything outside vpn,

2. Firewall policies are similar to another device without any issue

4. There is no resolution simimar reply than point #1

5. Time is set and correct

6. Is the last available free by remote from Forticloud 7.4.0

Jonathan Salas
Jonathan Salas
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors