Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rrodrigues
New Contributor II

Scheduled Firmware upgrade results in failed initialisation - no connectivity of APs or internet

Hello,

Our system was set for a schedule firmware upgrade - 7.4.1 to 7.4.2.

There was a scheduled automated message about the upgrade "Automatic firmware upgrade schedule changed" which housed when and what:

 

date=2023-12-22 time=23:08:37 devid="xxxx" devname="FG-companyname-SC" eventtime=1703315317648109599 tz="-0800" logid="0100032263" type="event" subtype="system" level="notice" vd="root" logdesc="Automatic firmware upgrade schedule changed" user="system" msg="System patch-level auto-upgrade new image installation scheduled between local time Thu Dec 28 23:16:15 2023 and local time Fri Dec 29 01:00:00 2023." 

 

 

 

And in our logs we have a critical event (see screenshot) where this was actioned (in line with the timing listed in the email above) and we've just had reports that the there is no wifi being served through this.

A hard reset of the fortigate seems to resolve this issue but happens everytime the system reboots itself after an update.

Screenshot 2024-01-02 at 17.32.03.png

What I find interesting is that there is no events between the 28th and 2nd Jan.

Its worth noting that there is also a warning in the logs after this update on 28th December but unsure if connected so will mention it never the less:

 

Local certificate Fortinet_SSL_RSA4096 will expire in 0 days.

 

 

Is there a known issue or something specific I could search for in order to help track down what the potential issue is for this?

2 REPLIES 2
akumar02
Staff
Staff

Hello Rrodrigues,

Sometimes it happens that the certificate is expired and admins have trouble logging into the FortiGate GUI, as many browsers do not accept expired certificate.

In order to renew an expired built-in certificate, run the following command on FortiGate CLI:

 

# execute vpn certificate local generate default-ssl-key-certs

 

A message will be prompted to confirm the re-generation of the default certificate.

 

"Are you sure to re-generate the default RSA, DSA, ECDSA and EdDSA key certs for ssl resign?
Do you want to continue? (y/n)y

 

Ref: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Renew-Certificate-Expired-on-FortiGate/ta-...

If you are not able to access the Fortigate due to expired certificates then the Console access to the Fortigate will be able to help us find the RCA. 
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-deal-with-a-kernel-panic/ta-p/22680...

 

Kindly let us know if this helps. 

Best Regards,
. . . . . . . . . . . . . . . . . . . . . . . .
Arun Kumar | TAC Engineer II
FORTINET TAC - America EAST
NSE Certified: 1,2,3,4,5,7
Office Hours: 9AM-6PM EST (Tue-Sat)
Contact: https://fortinet.com/support-and-training/support/contact.html
Community Forum: https://community.fortinet.com
# Is there anything Fortinet could have assisted with further, better, or differently?
# Simply request a Manager follow-up
rrodrigues
New Contributor II

So its not about the page loading and having an error show up about an expired certificate.

You cant actually connect to the IP address and it simply times out.

Labels
Top Kudoed Authors