Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tehm
New Contributor

Fortigate VM 7.4.3 stuck at Validating License to FortiGuard

Skærmbillede 2024-02-19 131155.png

 

I have been trying differend things

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Failure-on-update-or-contact-FortiGu...

 

I can ping all necessary addresses

 

This is the debug:

 


# ssl_connect_fds[407]-Poll timeout
[207] __ssl_data_ctx_free: Done
[1108] ssl_free: Done
[199] __ssl_cert_ctx_free: Done
[1118] ssl_ctx_free: Done
upd_comm_connect_fds[478]-Failed SSL connect
do_setup[333]-Failed setup
upd_daemon[1974]-Disabling remaining actions 11
upd_vm_process[809]-last warning 161 seconds ago
upd_dns_change_notif[140]-Detected dns change from 8.8.8.8, 8.8.4.4, 0.0.0.0 to 96.45.45.45, 96.45.46.46, 0.0.0.0
upd_vm_process[809]-last warning 161 seconds ago
upd_ftgd_global_change_notif[224]-Detected anycast change
upd_vm_process[809]-last warning 161 seconds ago
upd_daemon[1808]-Received update request from pid=1905
upd_vm_process[809]-last warning 161 seconds ago
upd_daemon[1776]-Received setup request from pid=1907
upd_vm_process[809]-last warning 161 seconds ago
upd_daemon[1776]-Received setup request from pid=1907
upd_vm_process[809]-last warning 161 seconds ago
upd_vm_process[809]-last warning 166 seconds ago
upd_vm_process[809]-last warning 171 seconds ago
do_setup[329]-Starting SETUP
upd_fds_load_default_server[920]-Addr=[149.5.232.66], weight=205966649
upd_fds_load_default_server[939]-Resolve and add fds euupdate.fortiguard.net ip address OK.
upd_fds_load_default_server6[1046]-Resolve and add fds euupdate.fortiguard.net ipv6 address failed.
upd_comm_connect_fds[459]-Trying FDS 149.5.232.66:443
[116] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[116] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory_Backup.cer, root ca Fortinet_CA_Backup, idx 1
[497] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
[517] ssl_ctx_use_builtin_store: Enable CRL checking.
[524] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
[828] ssl_ctx_create_new: SSL CTX is created
[855] ssl_new: SSL object is created
[191] ssl_add_ftgd_hostname_check: Add hostname checking 'euupdate.fortiguard.net'...
[922] ssl_set_hostname: Set hostname 'fortinet-ca2.fortinet.com'
[720] __ssl_info_callback: before SSL initialization
[720] __ssl_info_callback: SSLv3/TLS write client hello
[720] __ssl_info_callback: SSLv3/TLS write client hello
[720] __ssl_info_callback: SSLv3/TLS read server hello
[720] __ssl_info_callback: TLSv1.3 read encrypted extensions
ssl_connect_fds[407]-Poll timeout
[207] __ssl_data_ctx_free: Done
[1108] ssl_free: Done
[199] __ssl_cert_ctx_free: Done
[1118] ssl_ctx_free: Done
upd_comm_connect_fds[478]-Failed SSL connect
do_setup[333]-Failed setup
upd_daemon[1974]-Disabling remaining actions 11
upd_vm_process[809]-last warning 297 seconds ago
upd_daemon[1808]-Received update request from pid=1937
upd_vm_process[809]-last warning 297 seconds ago
upd_daemon[1808]-Received update request from pid=2059
upd_vm_process[809]-last warning 297 seconds ago
upd_daemon[1808]-Received update request from pid=2076
upd_vm_process[809]-last warning 297 seconds ago
upd_daemon[1808]-Received update request from pid=2075
upd_vm_process[809]-last warning 297 seconds ago
upd_vm_process[809]-last warning 302 seconds ago
upd_vm_process[809]-last warning 307 seconds ago
do_setup[329]-Starting SETUP
upd_fds_load_default_server6[1046]-Resolve and add fds euupdate.fortiguard.net ipv6 address failed.
upd_comm_connect_fds[459]-Trying FDS 149.5.232.66:443
[116] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[116] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory_Backup.cer, root ca Fortinet_CA_Backup, idx 1
[497] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
[517] ssl_ctx_use_builtin_store: Enable CRL checking.
[524] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
[828] ssl_ctx_create_new: SSL CTX is created
[855] ssl_new: SSL object is created
[191] ssl_add_ftgd_hostname_check: Add hostname checking 'euupdate.fortiguard.net'...
[922] ssl_set_hostname: Set hostname 'fortinet-ca2.fortinet.com'
[720] __ssl_info_callback: before SSL initialization
[720] __ssl_info_callback: SSLv3/TLS write client hello

 

 

21 REPLIES 21
Richie_C
Staff
Staff

Hi

 

This is usually related to some type of filtering. 

upd_comm_connect_fds[478]-Failed SSL connect

 

Have you tried the steps in the following document:

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Unable-to-connect-to-FortiGuard-serv...

 

Thanks

Take a backup before making any changes
tehm
New Contributor

@Richie_C  Thanks for fast reply
Ive run: diag debug rating

And all 3 Web-Filter, Antispam and Virus outbreak prevention are disabled

Richie_C

You could try the following configuration as per the document. The FortiGate will then use UDP instead of TCP443. 

 

 

config system fortiguard
set fortiguard-anycast disable
set protocol udp
set port 8888
set sdns-server-ip 208.91.112.220    <-
end

 

Take a backup before making any changes
tehm
New Contributor

This has already been done, same result sorry - This is my FortiGuard settings
show full-configuration
config system fortiguard
set fortiguard-anycast disable
set protocol udp
set port 8888
set load-balance-servers 1
set auto-join-forticloud enable
set update-server-location eu
set sandbox-region ''
set update-ffdb enable
set update-uwdb enable
set update-dldb enable
set update-extdb enable
set update-build-proxy enable
set vdom ''
set auto-firmware-upgrade disable
set FDS-license-expiring-days 15
set antispam-force-off disable
set antispam-cache enable
set antispam-cache-ttl 1800
set antispam-cache-mpermille 1
set antispam-timeout 7
set outbreak-prevention-force-off disable
set outbreak-prevention-cache enable
set outbreak-prevention-cache-ttl 300
set outbreak-prevention-cache-mpermille 1
set outbreak-prevention-timeout 7
set webfilter-force-off disable
set webfilter-cache enable
set webfilter-cache-ttl 3600
set webfilter-timeout 15
set sdns-server-ip "208.91.112.220"
set sdns-server-port 53
unset sdns-options
set source-ip 0.0.0.0
set source-ip6 ::
set proxy-server-ip ''
set proxy-server-port 0
set proxy-username ''
set proxy-password ENC xxxxxxxxxx
set ddns-server-ip 0.0.0.0
set ddns-server-ip6 ::
set ddns-server-port 443
set interface-select-method auto
end

Richie_C

Ok, lets start with verifying DNS. Can you ping the following:

 

execute ping service.fortiguard.net
Take a backup before making any changes
tehm
New Contributor

I am able to yes.

exec ping service.fortiguard.net

exec ping update.fortiguard.net

exec ping guard.fortinet.net

mle2802
Staff
Staff

Hi @tehm,
Did you have any upstream device or directly connected to ISP modem?

Regards,

tehm
New Contributor

Well its a VM installed in GNS3 which is on a PC thats connected to the internet behind our company FGT firewall.

Richie_C

Is it possible that the corporate firewall is doing some type of filtering?  Maybe some SSL inspection, or blocking UDP 8888?

Take a backup before making any changes
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors