Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tehm
New Contributor

Created on ‎02-19-2024 04:26 AM Edited on ‎02-19-2024 04:27 AM

Fortigate VM 7.4.3 stuck at Validating License to FortiGuard

Skærmbillede 2024-02-19 131155.png

 

I have been trying differend things

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Failure-on-update-or-contact-FortiGu...

 

I can ping all necessary addresses

 

This is the debug:

 


# ssl_connect_fds[407]-Poll timeout
[207] __ssl_data_ctx_free: Done
[1108] ssl_free: Done
[199] __ssl_cert_ctx_free: Done
[1118] ssl_ctx_free: Done
upd_comm_connect_fds[478]-Failed SSL connect
do_setup[333]-Failed setup
upd_daemon[1974]-Disabling remaining actions 11
upd_vm_process[809]-last warning 161 seconds ago
upd_dns_change_notif[140]-Detected dns change from 8.8.8.8, 8.8.4.4, 0.0.0.0 to 96.45.45.45, 96.45.46.46, 0.0.0.0
upd_vm_process[809]-last warning 161 seconds ago
upd_ftgd_global_change_notif[224]-Detected anycast change
upd_vm_process[809]-last warning 161 seconds ago
upd_daemon[1808]-Received update request from pid=1905
upd_vm_process[809]-last warning 161 seconds ago
upd_daemon[1776]-Received setup request from pid=1907
upd_vm_process[809]-last warning 161 seconds ago
upd_daemon[1776]-Received setup request from pid=1907
upd_vm_process[809]-last warning 161 seconds ago
upd_vm_process[809]-last warning 166 seconds ago
upd_vm_process[809]-last warning 171 seconds ago
do_setup[329]-Starting SETUP
upd_fds_load_default_server[920]-Addr=[149.5.232.66], weight=205966649
upd_fds_load_default_server[939]-Resolve and add fds euupdate.fortiguard.net ip address OK.
upd_fds_load_default_server6[1046]-Resolve and add fds euupdate.fortiguard.net ipv6 address failed.
upd_comm_connect_fds[459]-Trying FDS 149.5.232.66:443
[116] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[116] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory_Backup.cer, root ca Fortinet_CA_Backup, idx 1
[497] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
[517] ssl_ctx_use_builtin_store: Enable CRL checking.
[524] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
[828] ssl_ctx_create_new: SSL CTX is created
[855] ssl_new: SSL object is created
[191] ssl_add_ftgd_hostname_check: Add hostname checking 'euupdate.fortiguard.net'...
[922] ssl_set_hostname: Set hostname 'fortinet-ca2.fortinet.com'
[720] __ssl_info_callback: before SSL initialization
[720] __ssl_info_callback: SSLv3/TLS write client hello
[720] __ssl_info_callback: SSLv3/TLS write client hello
[720] __ssl_info_callback: SSLv3/TLS read server hello
[720] __ssl_info_callback: TLSv1.3 read encrypted extensions
ssl_connect_fds[407]-Poll timeout
[207] __ssl_data_ctx_free: Done
[1108] ssl_free: Done
[199] __ssl_cert_ctx_free: Done
[1118] ssl_ctx_free: Done
upd_comm_connect_fds[478]-Failed SSL connect
do_setup[333]-Failed setup
upd_daemon[1974]-Disabling remaining actions 11
upd_vm_process[809]-last warning 297 seconds ago
upd_daemon[1808]-Received update request from pid=1937
upd_vm_process[809]-last warning 297 seconds ago
upd_daemon[1808]-Received update request from pid=2059
upd_vm_process[809]-last warning 297 seconds ago
upd_daemon[1808]-Received update request from pid=2076
upd_vm_process[809]-last warning 297 seconds ago
upd_daemon[1808]-Received update request from pid=2075
upd_vm_process[809]-last warning 297 seconds ago
upd_vm_process[809]-last warning 302 seconds ago
upd_vm_process[809]-last warning 307 seconds ago
do_setup[329]-Starting SETUP
upd_fds_load_default_server6[1046]-Resolve and add fds euupdate.fortiguard.net ipv6 address failed.
upd_comm_connect_fds[459]-Trying FDS 149.5.232.66:443
[116] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[116] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory_Backup.cer, root ca Fortinet_CA_Backup, idx 1
[497] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
[517] ssl_ctx_use_builtin_store: Enable CRL checking.
[524] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
[828] ssl_ctx_create_new: SSL CTX is created
[855] ssl_new: SSL object is created
[191] ssl_add_ftgd_hostname_check: Add hostname checking 'euupdate.fortiguard.net'...
[922] ssl_set_hostname: Set hostname 'fortinet-ca2.fortinet.com'
[720] __ssl_info_callback: before SSL initialization
[720] __ssl_info_callback: SSLv3/TLS write client hello

 

 

Labels:
1636
0 Kudos
21 REPLIES 21
tehm
New Contributor
In response to Richie_C

Created on ‎02-19-2024 06:18 AM

There are this custom Inspection - Nothing to notice - No blocking of the UDP

 

image.png

693
0 Kudos
hbac
Staff
Staff
In response to tehm

Created on ‎02-19-2024 06:27 AM

Hi @tehm,

 

I would suggest creating a policy with no certificate inspection and test again. 

 

Regards, 

680
tehm
New Contributor
In response to hbac

Created on ‎02-19-2024 06:51 AM

This is logs from the PC i have my VM on - Everything is getting accepted

 

Untitled.png

675
0 Kudos
mle2802
Staff
Staff

Created on ‎02-19-2024 06:08 AM

Hi @tehm,
Can you try to unset update location and try again?

704
tehm
New Contributor
In response to mle2802

Created on ‎02-19-2024 06:09 AM

set update-server-location eu this one?

697
0 Kudos
mle2802
Staff
Staff
In response to tehm

Created on ‎02-19-2024 06:12 AM

Hi @tehm,
Yes that correct. Change to "unset update-server-location". Also debug upstream FortiGate to see if traffic from this device being blocked.

695
tehm
New Contributor
In response to mle2802

Created on ‎02-19-2024 06:30 AM

Done - Same issue. I will try what hbac said

678
0 Kudos
mle2802
Staff
Staff
In response to tehm

Created on ‎02-19-2024 07:11 AM

Hi @tehm,
Can you try to connect your device to different network such as home Internet or hotspot and try to do the validation again?

 

660
tehm
New Contributor
In response to mle2802

Created on ‎02-19-2024 11:23 PM Edited on ‎02-19-2024 11:40 PM

Hi @mle2802 

So this morning i tried to to connect my PC to a FortiExtender with a SIM card. No inspection nothing should disturb, this same result - I will try all over in GNS3 just to double check.

 

#EDIT 

Started from fresh with a new VM in GNS3 - Same result - And this time the ISP was a FortiExtender with a SIM

upd_comm_connect_fds[478]-Failed SSL connect

606
0 Kudos
mle2802
Staff
Staff
In response to tehm

Created on ‎02-20-2024 06:32 AM

Hi @tehm,

When trying to unset update location, what is the FDS server IP you are getting from debug? Please also try to run packet capture to see if it may be MTU issue.

Regards,

582
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.