Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Created on ‎04-04-2011 02:24 PM

Fortigate update over MPLS

HI, I am a french customer, and i am going to install a new equipement (fortigate 110c). I' ve got some problem with this one. to understand my problem i need to explain how the fortigate is connected. I have a juniper directly connected to mpls network with private ip 10.x.x.10 behind this one i have the fortigate 11c connected to the juniper on the wan 1 interface with the Private ip : 10.x.x.9 i have some private network which use a nat rules for going to internet for example i am nating the network 192.168.x.x to ip public 195.x.x.x over the connection WAN 1 A static rules has been entered in the router configuration for going by default to the network 10.x.x.10 (it' s a default gateway) so for my private networks i don' t have any porblem the nat work perfectly and have internet connection. my problem is about the update of the fortigate. As i sayed the wan interface of the fortigate is connected to the juniper and mpls network with an Private ip address and so the fortigate try to have update by using the ip 10.x.x.10 but as we know it' s impossible to route a private ip on internet and so the fortigate can' t make his update..... how i can say to the fortigate to use a public ip for going to search his update like i do with my private network (with nat function). thanks for your help
6400
0 Kudos
27 REPLIES 27
ede_pfau
SuperUser
SuperUser

Created on ‎04-12-2011 01:56 AM

what does the Endpoint page I posted look like? Can you update the Fclient manually from there?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
845
0 Kudos
Not applicable

Created on ‎04-12-2011 02:16 AM

the manual update does' nt work !!!
845
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎04-12-2011 03:33 AM

This will show you some more info during update (in the CLI): diag deb ena diag deb app update -1 exe update-now ...other than that I' m out of clues, sorry.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
845
0 Kudos
Not applicable

Created on ‎04-14-2011 11:38 PM

HELLO EDE, Sorry for answering just now, but i' ve got a lot of problemes here this week. So, i' ve done what you ask to me: and the result of the cli debug command is here: have you some idea of what' s the reason of the problemes here? Fortinet-LSBB # upd_daemon.c[886] upd_daemon-Received update now request upd_daemon.c[316] do_update-Starting now UPDATE (final try) upd_cfg.c[49] upd_cfg_get_host_by_name-Failed to gethostbyname for update.fortiguard.net upd_act.c[373] upd_act_update-Trying FDS 208.91.112.68:443 with AcceptDelta=1 upd_comm.c[208] tcp_connect_fds-Proxy tunneling is disabled upd_cfg_api.c[246] upd_cfg_extract_av_db_version-version=04000000AVDB00202-00013.00113-1104141718 upd_cfg_api.c[246] upd_cfg_extract_av_db_version-version=04000000AVDB00321-00001.00001-1005211337 upd_cfg_api.c[288] upd_cfg_extract_ids_db_version-version=04000000NIDS00020-00002.00985-1104141310 upd_cfg_api.c[288] upd_cfg_extract_ids_db_version-version=04000000AVDB00500-00010.00974-0910220100 upd_cfg_api.c[389] upd_cfg_extract_netscan_db_version-version=04000000VCME00100-00001.00110-1008162004 upd_pkg.c[491] upd_pkg_create_update_req-Exclude object version 1 upd_pkg.c[491] upd_pkg_create_update_req-Exclude object version 3 upd_pkg.c[491] upd_pkg_create_update_req-Exclude object version 11 upd_pkg.c[100] pack_obj-Packing obj=Protocol=3.0|Command=Update|Firmware=FG110C-FW-4.00-315|SerialNumber=FG100C3G09619771|UpdateMethod=0|AcceptDelta=1|DataItem=04000000AVDB00202-00013.00113-1104141718*04000000NIDS00020-00002.00985-1104141310*00000000FCNI00000-00000.00000-0000000000*04000000ASEN00400-00001.00001-0903172330*00000000FDNI00000-00000.00000-0000000000*01000000FSCI00100-00000.00000-0000000000*04000000AVEN01100-00004.00254-1011011857*04000000NIDS00300-00001.00171-1011021606*04000000ASEN00000-00001.00001-0903172330*04000000VCME00100-00001.00110-1008162004 upd_pkg.c[193] get_fcpr_rsp_code-Unpacked obj: Protocol=3.0|Response=300|Firmware=FPT033-FW-3.17-0721|SerialNumber=FPT-FDS-DELL0010|Server=FDSG|Persistent=false|ResponseItem=04000000AVDB00202:204*04000000NIDS00020:204*00000000FCNI00000:200*04000000ASEN00400:204*00000000FDNI00000:200*04000000AVEN01100:204*04000000NIDS00300:204*04000000ASEN00000:204*04000000VCME00100:401*01000000FSCI00100:200 upd_install.c[876] doInstallUpdatePackage-full found obj FCNI upd_install.c[889] doInstallUpdatePackage-Updating obj FCNI upd_install.c[158] installUpdateObject-Step 1:Unpack obj 7 upd_install.c[168] installUpdateObject-Step 2:Verify obj 7 updatepkg.c[670] installUpdObjRest-Step 3:Signal parent not to respawn updatepkg.c[680] installUpdObjRest-Step 4:Kill daemon(s) updatepkg.c[718] installUpdObjRest-Step 5:Backup /etc/fcni.dat->/tmp/update.backup updatepkg.c[732] installUpdObjRest-Step 6:Copy new object /tmp/updkWHjRB->/etc/fcni.dat updatepkg.c[774] installUpdObjRest-Step 7:Validate object updatepkg.c[797] installUpdObjRest-Step 8:Re-initialize using new obj file upd_status_api.c[449] upd_status_extract_support_info-Support addr=support.fortinet.com/registration.aspx updatepkg.c[807] installUpdObjRest-Step 9:Delete backup /tmp/update.backup updatepkg.c[822] installUpdObjRest-Step 10:Tell parent to respawn upd_install.c[876] doInstallUpdatePackage-full found obj FDNI upd_install.c[889] doInstallUpdatePackage-Updating obj FDNI upd_install.c[158] installUpdateObject-Step 1:Unpack obj 6 upd_install.c[168] installUpdateObject-Step 2:Verify obj 6 updatepkg.c[670] installUpdObjRest-Step 3:Signal parent not to respawn updatepkg.c[680] installUpdObjRest-Step 4:Kill daemon(s) updatepkg.c[718] installUpdObjRest-Step 5:Backup /etc/fdnservers.dat->/tmp/update.backup updatepkg.c[732] installUpdObjRest-Step 6:Copy new object /tmp/updrSsymP->/etc/fdnservers.dat updatepkg.c[774] installUpdObjRest-Step 7:Validate object updatepkg.c[797] installUpdObjRest-Step 8:Re-initialize using new obj file updatepkg.c[807] installUpdObjRest-Step 9:Delete backup /tmp/update.backup updatepkg.c[822] installUpdObjRest-Step 10:Tell parent to respawn upd_install.c[876] doInstallUpdatePackage-full found obj FSCI upd_install.c[889] doInstallUpdatePackage-Updating obj FSCI upd_install.c[158] installUpdateObject-Step 1:Unpack obj 8 upd_install.c[168] installUpdateObject-Step 2:Verify obj 8 updatepkg.c[670] installUpdObjRest-Step 3:Signal parent not to respawn updatepkg.c[680] installUpdObjRest-Step 4:Kill daemon(s) updatepkg.c[718] installUpdObjRest-Step 5:Backup /etc/sci.dat->/tmp/update.backup updatepkg.c[732] installUpdObjRest-Step 6:Copy new object /tmp/updk8iPb4->/etc/sci.dat updatepkg.c[774] installUpdObjRest-Step 7:Validate object updatepkg.c[797] installUpdObjRest-Step 8:Re-initialize using new obj file upd_status_api.c[644] upd_status_extract_contract_info-Extracting contract...(SerialNumber=FG100C3G09619771|Contract=AVDB-1-10-20120325*AVEN-1-10-20120325*NIDS-1-10-20120325*SPRT-1-10-20120325*FMWR-1-10-20120325*FURL-1-10-20120325*HDWR-1-10-20120325*SPAM-1-10-20120325*ENHN-1-10-20120325|AccountID=alain.cavaillou@oca.eu ) upd_status_api.c[675] upd_status_extract_contract_info-pending registration(255) support acct(alain.cavaillou@oca.eu) upd_status_api.c[531] update_status_obj-AVDB contract expiry=Sun Mar 25 00:00:00 2012 level(10) alert(0) upd_status_api.c[531] update_status_obj-ETDB contract expiry=Sun Mar 25 00:00:00 2012 level(10) alert(0) upd_status_api.c[531] update_status_obj-FLDB contract expiry=Sun Mar 25 00:00:00 2012 level(10) alert(0) upd_status_api.c[531] update_status_obj-AIEN contract expiry=Sun Mar 25 00:00:00 2012 level(10) alert(0) upd_status_api.c[531] update_status_obj-AVEN contract expiry=Sun Mar 25 00:00:00 2012 level(10) alert(0) upd_status_api.c[531] update_status_obj-NIDB contract expiry=Sun Mar 25 00:00:00 2012 level(10) alert(0) upd_status_api.c[531] update_status_obj-NIEN contract expiry=Sun Mar 25 00:00:00 2012 level(10) alert(0) upd_status_api.c[531] update_status_obj-FMWR contract expiry=Sun Mar 25 00:00:00 2012 level(10) alert(0) upd_status_api.c[531] update_status_obj-FURL contract expiry=Sun Mar 25 00:00:00 2012 level(10) alert(0) upd_status_api.c[531] update_status_obj-HDWR contract expiry=Sun Mar 25 00:00:00 2012 level(10) alert(0) upd_status_api.c[531] update_status_obj-ASEN contract expiry=Sun Mar 25 00:00:00 2012 level(10) alert(0) upd_status_api.c[531] update_status_obj-ASRL contract expiry=Sun Mar 25 00:00:00 2012 level(10) alert(0) upd_status_api.c[531] update_status_obj-ENHN contract expiry=Sun Mar 25 00:00:00 2012 level(10) alert(0) updatepkg.c[807] installUpdObjRest-Step 9:Delete backup /tmp/update.backup updatepkg.c[822] installUpdObjRest-Step 10:Tell parent to respawn upd_install.c[1206] upd_install_pkg-AVEN011 is up-to-date upd_install.c[1206] upd_install_pkg-AVDB is up-to-date upd_install.c[1233] upd_install_pkg-FCNI installed successfully upd_install.c[1233] upd_install_pkg-FDNI installed successfully upd_install.c[1233] upd_install_pkg-FSCI installed successfully upd_install.c[1206] upd_install_pkg-NIDS003 is up-to-date upd_install.c[1206] upd_install_pkg-NIDS is up-to-date upd_install.c[1206] upd_install_pkg-ASEN000 is up-to-date upd_install.c[1206] upd_install_pkg-ASEN004 is up-to-date upd_install.c[1212] upd_install_pkg-VCME001 is unauthorized upd_status.c[200] upd_status_save_status-try to save on status file upd_status.c[272] upd_status_save_status-Wrote status file upd_act.c[279] __upd_act_update-Package installed successfully upd_daemon.c[370] do_update-UPDATE successful upd_cfg.c[49] upd_cfg_get_host_by_name-Failed to gethostbyname for update.fortiguard.net upd_cfg.c[49] upd_cfg_get_host_by_name-Failed to gethostbyname for update.fortiguard.net is there a probleme with dns resolve here ?
845
0 Kudos
Not applicable

Created on ‎04-14-2011 11:48 PM

that' s is the cli answer when i force the update on the page :endpoint==>forticlient : upd_daemon.c[826] upd_daemon-Received ring request upd_daemon.c[831] upd_daemon-Doing ring request because forced=1 last_ring=84174811 upd_daemon.c[433] do_ring-Starting RING upd_cfg.c[49] upd_cfg_get_host_by_name-Failed to gethostbyname for update.fortiguard.net upd_pkg.c[100] pack_obj-Packing obj=Protocol=3.0|Command=Ring|Firmware=FG110C-FW-4.00-315|SerialNumber=FG100C3G09619771 upd_act.c[89] upd_act_ring-Trying FDS 208.91.112.72:443 upd_comm.c[208] tcp_connect_fds-Proxy tunneling is disabled upd_pkg.c[193] get_fcpr_rsp_code-Unpacked obj: Protocol=3.0|Response=200|Firmware=FPT033-FW-3.17-0721|SerialNumber=FPT-FDS-DELL0018|Server=FDSG|Persistent=false upd_daemon.c[458] do_ring-FDN available upd_cfg.c[49] upd_cfg_get_host_by_name-Failed to gethostbyname for update.fortiguard.net upd_cfg.c[49] upd_cfg_get_host_by_name-Failed to gethostbyname for update.fortiguard.net upd_cfg.c[49] upd_cfg_get_host_by_name-Failed to gethostbyname for update.fortiguard.net
845
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎04-15-2011 12:02 AM

Alain, no problem. We all are busy sometimes, hopefully... The debug trace is excellent. At first, I thought that DNS did not resolve. The FGT tried the numerical IP instead and was successful. It updated the list of FortiCare and FortiGuard servers then. All subscribed services have been updated or are up-to-date. suggestions: 1. re-run the ' update-now' command to see if the line with " Failed to gethostbyname for update.fortiguard.net" ' is printed again. This should not happen, or rather, it should not happen anymore after updating the list of Fortinet servers. 2. if nothing has changed, try to resolve ' update.fortiguard.net' from the CLI: exec cli update.fortiguard.net This has to be working. 3. if the FortiClient status on the dashboard has not changed, and DNS is working fine, then finally I would open a ticket with Fortinet Support. Offer the debug output and ask for an explanation. They will probably ask whether the DNS resolving has been fixed inbetween.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
845
0 Kudos
Not applicable

Created on ‎04-15-2011 12:32 AM

1) i' have got this when i re-run update-now : upd_daemon.c[370] do_update-UPDATE successful upd_cfg.c[49] upd_cfg_get_host_by_name-Failed to gethostbyname for update.fortiguard.net it' s the same message again 2) so i try to resolve update.fortiguard.net Fortinet-LSBB # execute ping update.fortiguard.net Unable to resolve hostname. i don' t understand why the hostname resolve not works because on a a pc of my network when i try to resolv it, it works. and on the fortinet i' have the right dns.
845
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎04-15-2011 02:03 AM

OK this has to be solved first. Look at this:
 gate # diag deb app dns -1
 
 gate # exe ping update.fortiguard.net
 unix_receive_request()-897
 unix_receive_request()-916: vd-0 received a req with 39 bytes
 handle_dns_request()-590: pktlen=39, qr=0
 dns_local_lookup()-708: vfid=0 qname=update.fortiguard.net, qtype=1, qclass=1, offset=39, map#=3 max_zs=512
 dns_lookup_aa_zone()-431: vfid=0, fqdn=update.fortiguard.net
 dns_send_cached_response()-541
 dns_adjust_ttl_values()-112
 dns_adjust_ttl_values()-115: Offset of 1st RR: 39
 dns_adjust_ttl_values()-117: Number of RR' s: 4
 dns_adjust_ttl_values()-128: New ttl: 37534
 dns_adjust_ttl_values()-128: New ttl: 30095
 dns_adjust_ttl_values()-128: New ttl: 30095
 dns_adjust_ttl_values()-128: New ttl: 30095
 dns_forward_response()-528
 __dns_forward_response()-441
 __dns_forward_response()-447: vd-0 Send 118B via fd=15, family=1
 PING fds1.fortinet.com (216.156.209.20): 56 data bytes
 64 bytes from 216.156.209.20: icmp_seq=0 ttl=55 time=204.0 ms
How is your DNS set up? Do the clients refer to the FGT which resolves recursively? I will dig some more to get DNS stats.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
845
0 Kudos
Not applicable

Created on ‎04-15-2011 02:43 AM

thanks ede for your help, so, this is the result of the command : Fortinet-LSBB # exe ping update.fortiguard.net unix_receive_request()-897 unix_receive_request()-916: vd-0 received a req with 39 bytes handle_dns_request()-590: pktlen=39, qr=0 dns_local_lookup()-708: vfid=0 qname=update.fortiguard.net, qtype=1, qclass=1, offset=39, map#=3 max_zs=512 dns_lookup_aa_zone()-431: vfid=0, fqdn=update.fortiguard.net dns_forward_request()-359 is_v6_request()-330 dns_forward_request()-404: Send 39B to 192.54.174.60:53 via fd=10 request:0 dns_num:2 index:0 dns_forward_request()-430 dns_forward_request()-359 is_v6_request()-330 dns_forward_request()-404: Send 39B to 192.54.174.72:53 via fd=10 request:3 dns_num:2 index:1 dns_forward_request()-430 dns_forward_request()-359 is_v6_request()-330 dns_forward_request()-404: Send 39B to 192.54.174.72:53 via fd=10 request:1 dns_num:2 index:1 dns_forward_request()-430 dns_query_check_timeout()-288: jiffies=92945101 dns_build_error_response()-564: pktlen=39 id=0 __dns_forward_response()-441 __dns_forward_response()-447: vd-0 Send 39B via fd=14, family=1 upd_cfg.c[49] upd_cfg_get_host_by_name-Failed to gethostbyname for update.fortiguard.net dns_forward_request()-359 is_v6_request()-330 dns_forward_request()-404: Send 39B to 192.54.174.60:53 via fd=10 request:2 dns_num:2 index:0 dns_forward_request()-430 unix_receive_nb_request()-928 unix_receive_nb_request()-947: vd-0 received a req with 39 bytes handle_dns_request()-590: pktlen=39, qr=0 dns_local_lookup()-708: vfid=0 qname=update.fortiguard.net, qtype=1, qclass=1, offset=39, map#=3 max_zs=4294967295 dns_lookup_aa_zone()-431: vfid=0, fqdn=update.fortiguard.net dns_forward_request()-359 is_v6_request()-330 dns_forward_request()-404: Send 39B to 192.54.174.60:53 via fd=10 request:0 dns_num:2 index:0 dns_forward_request()-430 dns_build_error_response()-564: pktlen=39 id=0 __dns_forward_response()-441 __dns_forward_response()-447: vd-0 Send 39B via fd=15, family=1 dns_forward_request()-359 is_v6_request()-330 dns_forward_request()-404: Send 39B to 192.54.174.72:53 via fd=10 request:3 dns_num:2 index:1 dns_forward_request()-430 dns_forward_request()-359 is_v6_request()-330 dns_forward_request()-404: Send 39B to 192.54.174.72:53 via fd=10 request:1 dns_num:2 index:1 dns_forward_request()-430 dns_query_check_timeout()-288: jiffies=92946174 dns_build_error_response()-564: pktlen=39 id=0 __dns_forward_response()-441 __dns_forward_response()-447: vd-0 Send 39B via fd=14, family=1 Unable to resolve hostname. And for answering to your question: My machines receive by dhcp the information of dns servers and doesn' t ask to the fortigate to resolve it. and on the fortigate i also have enter dns information in FGT configuration. ^^
845
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎04-15-2011 03:13 AM

You can see that the FGT first asks the primary DNS configured (ocandns1) and then the secondary (ocandns2). It runs into a timeout then. Both IPs are correct. Be sure that the configured DNS are used (and not the servers supplied by your provider): " show sys int wan1" , look for " set dns-server-override disable" . I can confirm that both DNS can successfully resolve ' update.fortiguard.net' . As both servers are ping-able, can you ping both from the FGT CLI? Is there any other device between the FGT and the WAN, potentially blocking access to port 53? Note that FGT internally generated traffic is not controlled by firewall policies.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
845
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.