Hi,
I have problem on the branch fortigate it route all traffic to hq fortigate, and I cannot run fortiguard (Unable to connect to FortiGuard servers.) Forticloud - failed to load data etc.
In the branch console I can ping all fortiguard servers, I can telnet to 514 ports like:
execute telnet 173.243.132.171 514
Trying 173.243.132.171...
Connected to 173.243.132.171.
on hq fortigate I see in logs that traffic from branch destined to fortiguard like:
13.248.131.62
173.243.132.27
are allowed and go out to the internet but these service are not working, in log I have something like:
[3038] fds_download_image_list: TRACE
[41] fds_queue_task: req-1 is added to fds-update
[579] fds_https_start_server: server: 13.248.131.62:443
[580] fds_https_start_server: source-ip: 0.0.0.0:0
[113] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[480] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
[486] ssl_ctx_use_builtin_store: Enable CRL checking.
[493] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
[755] ssl_ctx_create_new_ex: SSL CTX is created
[782] ssl_new: SSL object is created
[82] https_create: proxy server 0.0.0.0 port:0
[185] forticldd_add_hostname_check: Add hostname checking 'globalupdate2.fortinet.net'
[359] __ssl_crl_verify_cb: Cert error 20, unable to get local issuer certificate. Depth 0
[1894] SSL_dump_handshake_err: Certificate failed verification. Error: 20 (unable to get local issuer certificate), depth: 0, subject: /jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/serialNumber=3321792/C=US/ST=California/L=Sunnyvale/O=Fortinet, Inc./CN=globalupdate2.fortinet.net.
[1001] ssl_connect: SSL_connect failes: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
[477] fds_https_connect: https_connect(13.248.131.62:443) failed: ssl_connect() failed: 0 (error:00000000:lib(0):func(0):reason(0)).
[203] __ssl_data_ctx_free: Done
[1046] ssl_free: Done
[195] __ssl_cert_ctx_free: Done
[1056] ssl_ctx_free: Done
[1037] ssl_disconnect: Shutdown
[238] fds_svr_default_on_error: fds-update: ip=13.248.131.62:443, reason=4
[255] fds_svr_default_on_error: fds-update: Conn failes 1/1
[275] fds_svr_default_on_error: fds-update: req-id=1, num_try=1, read=0, reason=4
[2993] tsk_send_image_list: num=-1
[465] fds_send_reply: Sending 0 bytes data.
[421] fds_free_tsk: cmd=1; req.noreply=1
[421] fds_free_tsk: cmd=1; req.noreply=0
[186] fds_svr_default_task_xmit: try to get IPs for fds-update
[254] fds_resolv_addr: resolve 'globalupdate2.fortinet.net'
[186] fds_get_addr: name=globalupdate2.fortinet.net, id=14041, cb=0x9588e8
[102] dns_parse_resp: DNS globalupdate2.fortinet.net -> 13.248.131.62
[102] dns_parse_resp: DNS globalupdate2.fortinet.net -> 76.223.2.16
[137] fds_svr_default_pickup_server: fds-update: 13.248.131.62:443
[3274] fds_handle_request: Received cmd 116 from pid-1298, len 0
[465] fds_send_reply: Sending 8 bytes data.
[3274] fds_handle_request: Received cmd 116 from pid-1298, len 0
[465] fds_send_reply: Sending 8 bytes data.
[3274] fds_handle_request: Received cmd 101 from pid-1298, len 0
[41] fds_queue_task: req-101 is added to message-controller
[579] fds_https_start_server: server: 173.243.132.27:443
[580] fds_https_start_server: source-ip: 0.0.0.0:0
[113] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[480] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
[486] ssl_ctx_use_builtin_store: Enable CRL checking.
[493] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
[755] ssl_ctx_create_new_ex: SSL CTX is created
[782] ssl_new: SSL object is created
[82] https_create: proxy server 0.0.0.0 port:0
[185] forticldd_add_hostname_check: Add hostname checking 'globalmsgctrl2.fortinet.net'
[359] __ssl_crl_verify_cb: Cert error 20, unable to get local issuer certificate. Depth 0
[1894] SSL_dump_handshake_err: Certificate failed verification. Error: 20 (unable to get local issuer certificate), depth: 0, subject: /jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/serialNumber=3321792/C=US/ST=California/L=Sunnyvale/O=Fortinet, Inc./CN=globalctrl.fortinet.net.
[1001] ssl_connect: SSL_connect failes: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
[477] fds_https_connect: https_connect(173.243.132.27:443) failed: ssl_connect() failed: 0 (error:00000000:lib(0):func(0):reason(0)).
[203] __ssl_data_ctx_free: Done
[1046] ssl_free: Done
[195] __ssl_cert_ctx_free: Done
[1056] ssl_ctx_free: Done
[1037] ssl_disconnect: Shutdown
upd_daemon[1782]-Received update now request
upd_daemon[1508]-Found cached action=00000002
do_update[492]-Starting now UPDATE (final try)
upd_fds_load_default_server6[1105]-Resolve fds ipv6 address failed.
upd_comm_connect_fds[458]-Trying FDS 76.223.2.16:443
tcp_connect_fds[234]-Binding to interface 122
[113] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[480] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
[486] ssl_ctx_use_builtin_store: Enable CRL checking.
[493] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
[755] ssl_ctx_create_new_ex: SSL CTX is created
[782] ssl_new: SSL object is created
[166] ssl_add_ftgd_hostname_check: Add hostname checking 'globalupdate2.fortinet.net'
[359] __ssl_crl_verify_cb: Cert error 20, unable to get local issuer certificate. Depth 0
__upd_peer_vfy[331]-Server certificate failed verification. Error: 20 (unable to get local issuer certificate), depth: 0, subject: /jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/serialNumber=3321792/C=US/ST=California/L=Sunnyvale/O=Fortinet, Inc./CN=globalupdate2.fortinet.net.
[1001] ssl_connect: SSL_connect failes: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
ssl_connect_fds[392]-Failed SSL connecting (5,0,Success)
[203] __ssl_data_ctx_free: Done
[1046] ssl_free: Done
[195] __ssl_cert_ctx_free: Done
[1056] ssl_ctx_free: Done
upd_comm_connect_fds[476]-Failed SSL connect
upd_comm_connect_fds[458]-Trying FDS 13.248.131.62:443
tcp_connect_fds[234]-Binding to interface 122
[113] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[480] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
[486] ssl_ctx_use_builtin_store: Enable CRL checking.
[493] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
[755] ssl_ctx_create_new_ex: SSL CTX is created
[782] ssl_new: SSL object is created
[166] ssl_add_ftgd_hostname_check: Add hostname checking 'globalupdate2.fortinet.net'
[359] __ssl_crl_verify_cb: Cert error 20, unable to get local issuer certificate. Depth 0
__upd_peer_vfy[331]-Server certificate failed verification. Error: 20 (unable to get local issuer certificate), depth: 0, subject: /jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/serialNumber=3321792/C=US/ST=California/L=Sunnyvale/O=Fortinet, Inc./CN=globalupdate2.fortinet.net.
[1001] ssl_connect: SSL_connect failes: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
ssl_connect_fds[392]-Failed SSL connecting (5,0,Success)
[203] __ssl_data_ctx_free: Done
[1046] ssl_free: Done
[195] __ssl_cert_ctx_free: Done
[1056] ssl_ctx_free: Done
upd_comm_connect_fds[476]-Failed SSL connect
do_update[504]-UPDATE failed
do_check_wanip[655]-Starting getting wan ip
upd_fds_load_default_server6[1105]-Resolve fds ipv6 address failed.
upd_comm_connect_fds[458]-Trying FDS 76.223.2.16:443
tcp_connect_fds[234]-Binding to interface 122
[113] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[480] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
[486] ssl_ctx_use_builtin_store: Enable CRL checking.
[493] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
[755] ssl_ctx_create_new_ex: SSL CTX is created
[782] ssl_new: SSL object is created
[166] ssl_add_ftgd_hostname_check: Add hostname checking 'globalupdate2.fortinet.net'
[359] __ssl_crl_verify_cb: Cert error 20, unable to get local issuer certificate. Depth 0
__upd_peer_vfy[331]-Server certificate failed verification. Error: 20 (unable to get local issuer certificate), depth: 0, subject: /jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/serialNumber=3321792/C=US/ST=California/L=Sunnyvale/O=Fortinet, Inc./CN=globalupdate2.fortinet.net.
[1001] ssl_connect: SSL_connect failes: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
ssl_connect_fds[392]-Failed SSL connecting (5,0,Success)
[203] __ssl_data_ctx_free: Done
[1046] ssl_free: Done
[195] __ssl_cert_ctx_free: Done
[1056] ssl_ctx_free: Done
upd_comm_connect_fds[476]-Failed SSL connect
upd_comm_connect_fds[458]-Trying FDS 13.248.131.62:443
tcp_connect_fds[234]-Binding to interface 122
[113] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[480] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
[486] ssl_ctx_use_builtin_store: Enable CRL checking.
[493] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
[755] ssl_ctx_create_new_ex: SSL CTX is created
[782] ssl_new: SSL object is created
[166] ssl_add_ftgd_hostname_check: Add hostname checking 'globalupdate2.fortinet.net'
[359] __ssl_crl_verify_cb: Cert error 20, unable to get local issuer certificate. Depth 0
__upd_peer_vfy[331]-Server certificate failed verification. Error: 20 (unable to get local issuer certificate), depth: 0, subject: /jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/serialNumber=3321792/C=US/ST=California/L=Sunnyvale/O=Fortinet, Inc./CN=globalupdate2.fortinet.net.
[1001] ssl_connect: SSL_connect failes: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
ssl_connect_fds[392]-Failed SSL connecting (5,0,Success)
[203] __ssl_data_ctx_free: Done
[1046] ssl_free: Done
[195] __ssl_cert_ctx_free: Done
[1056] ssl_ctx_free: Done
upd_comm_connect_fds[476]-Failed SSL connect
do_check_wanip[659]-Failed getting wan ip
something with certificates I see but how to fix this? On branch I don't use deep ssl scan, only at hq when going to internet.
Solved! Go to Solution.
OK, problem resolved.
I have created a rule to internet services - fortiguard and moved it to the top of rules, this way traffic to fortiguard from branch is not doing ssl scan.
OK, problem resolved.
I have created a rule to internet services - fortiguard and moved it to the top of rules, this way traffic to fortiguard from branch is not doing ssl scan.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.