I have been trying differend things
I can ping all necessary addresses
This is the debug:
# ssl_connect_fds[407]-Poll timeout
[207] __ssl_data_ctx_free: Done
[1108] ssl_free: Done
[199] __ssl_cert_ctx_free: Done
[1118] ssl_ctx_free: Done
upd_comm_connect_fds[478]-Failed SSL connect
do_setup[333]-Failed setup
upd_daemon[1974]-Disabling remaining actions 11
upd_vm_process[809]-last warning 161 seconds ago
upd_dns_change_notif[140]-Detected dns change from 8.8.8.8, 8.8.4.4, 0.0.0.0 to 96.45.45.45, 96.45.46.46, 0.0.0.0
upd_vm_process[809]-last warning 161 seconds ago
upd_ftgd_global_change_notif[224]-Detected anycast change
upd_vm_process[809]-last warning 161 seconds ago
upd_daemon[1808]-Received update request from pid=1905
upd_vm_process[809]-last warning 161 seconds ago
upd_daemon[1776]-Received setup request from pid=1907
upd_vm_process[809]-last warning 161 seconds ago
upd_daemon[1776]-Received setup request from pid=1907
upd_vm_process[809]-last warning 161 seconds ago
upd_vm_process[809]-last warning 166 seconds ago
upd_vm_process[809]-last warning 171 seconds ago
do_setup[329]-Starting SETUP
upd_fds_load_default_server[920]-Addr=[149.5.232.66], weight=205966649
upd_fds_load_default_server[939]-Resolve and add fds euupdate.fortiguard.net ip address OK.
upd_fds_load_default_server6[1046]-Resolve and add fds euupdate.fortiguard.net ipv6 address failed.
upd_comm_connect_fds[459]-Trying FDS 149.5.232.66:443
[116] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[116] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory_Backup.cer, root ca Fortinet_CA_Backup, idx 1
[497] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
[517] ssl_ctx_use_builtin_store: Enable CRL checking.
[524] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
[828] ssl_ctx_create_new: SSL CTX is created
[855] ssl_new: SSL object is created
[191] ssl_add_ftgd_hostname_check: Add hostname checking 'euupdate.fortiguard.net'...
[922] ssl_set_hostname: Set hostname 'fortinet-ca2.fortinet.com'
[720] __ssl_info_callback: before SSL initialization
[720] __ssl_info_callback: SSLv3/TLS write client hello
[720] __ssl_info_callback: SSLv3/TLS write client hello
[720] __ssl_info_callback: SSLv3/TLS read server hello
[720] __ssl_info_callback: TLSv1.3 read encrypted extensions
ssl_connect_fds[407]-Poll timeout
[207] __ssl_data_ctx_free: Done
[1108] ssl_free: Done
[199] __ssl_cert_ctx_free: Done
[1118] ssl_ctx_free: Done
upd_comm_connect_fds[478]-Failed SSL connect
do_setup[333]-Failed setup
upd_daemon[1974]-Disabling remaining actions 11
upd_vm_process[809]-last warning 297 seconds ago
upd_daemon[1808]-Received update request from pid=1937
upd_vm_process[809]-last warning 297 seconds ago
upd_daemon[1808]-Received update request from pid=2059
upd_vm_process[809]-last warning 297 seconds ago
upd_daemon[1808]-Received update request from pid=2076
upd_vm_process[809]-last warning 297 seconds ago
upd_daemon[1808]-Received update request from pid=2075
upd_vm_process[809]-last warning 297 seconds ago
upd_vm_process[809]-last warning 302 seconds ago
upd_vm_process[809]-last warning 307 seconds ago
do_setup[329]-Starting SETUP
upd_fds_load_default_server6[1046]-Resolve and add fds euupdate.fortiguard.net ipv6 address failed.
upd_comm_connect_fds[459]-Trying FDS 149.5.232.66:443
[116] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[116] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory_Backup.cer, root ca Fortinet_CA_Backup, idx 1
[497] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
[517] ssl_ctx_use_builtin_store: Enable CRL checking.
[524] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
[828] ssl_ctx_create_new: SSL CTX is created
[855] ssl_new: SSL object is created
[191] ssl_add_ftgd_hostname_check: Add hostname checking 'euupdate.fortiguard.net'...
[922] ssl_set_hostname: Set hostname 'fortinet-ca2.fortinet.com'
[720] __ssl_info_callback: before SSL initialization
[720] __ssl_info_callback: SSLv3/TLS write client hello
Hi
This is usually related to some type of filtering.
upd_comm_connect_fds[478]-Failed SSL connect
Have you tried the steps in the following document:
Thanks
@Richie_C Thanks for fast reply
Ive run: diag debug rating
And all 3 Web-Filter, Antispam and Virus outbreak prevention are disabled
You could try the following configuration as per the document. The FortiGate will then use UDP instead of TCP443.
config system fortiguard
set fortiguard-anycast disable
set protocol udp
set port 8888
set sdns-server-ip 208.91.112.220 <-
end
Created on 02-19-2024 05:35 AM Edited on 02-19-2024 05:38 AM
This has already been done, same result sorry - This is my FortiGuard settings
show full-configuration
config system fortiguard
set fortiguard-anycast disable
set protocol udp
set port 8888
set load-balance-servers 1
set auto-join-forticloud enable
set update-server-location eu
set sandbox-region ''
set update-ffdb enable
set update-uwdb enable
set update-dldb enable
set update-extdb enable
set update-build-proxy enable
set vdom ''
set auto-firmware-upgrade disable
set FDS-license-expiring-days 15
set antispam-force-off disable
set antispam-cache enable
set antispam-cache-ttl 1800
set antispam-cache-mpermille 1
set antispam-timeout 7
set outbreak-prevention-force-off disable
set outbreak-prevention-cache enable
set outbreak-prevention-cache-ttl 300
set outbreak-prevention-cache-mpermille 1
set outbreak-prevention-timeout 7
set webfilter-force-off disable
set webfilter-cache enable
set webfilter-cache-ttl 3600
set webfilter-timeout 15
set sdns-server-ip "208.91.112.220"
set sdns-server-port 53
unset sdns-options
set source-ip 0.0.0.0
set source-ip6 ::
set proxy-server-ip ''
set proxy-server-port 0
set proxy-username ''
set proxy-password ENC xxxxxxxxxx
set ddns-server-ip 0.0.0.0
set ddns-server-ip6 ::
set ddns-server-port 443
set interface-select-method auto
end
Ok, lets start with verifying DNS. Can you ping the following:
execute ping service.fortiguard.net
I am able to yes.
exec ping service.fortiguard.net
exec ping update.fortiguard.net
exec ping guard.fortinet.net
Hi @tehm,
Did you have any upstream device or directly connected to ISP modem?
Regards,
Well its a VM installed in GNS3 which is on a PC thats connected to the internet behind our company FGT firewall.
Is it possible that the corporate firewall is doing some type of filtering? Maybe some SSL inspection, or blocking UDP 8888?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.