Description
The FortiGate was able to communicate with the FortiGuard Servers on Port 53/Port 8888 and lost connectivity.
Solution
This issue may be caused by downstream blocking, there are two different kinds.
1) DNS compliance checking
Our default traffic port is port 53 and while our traffic is DNS like, it is not DNS and does not look like DNS. So one possibility is that the option was enabled on a device downstream from the FortiGate.
2) Source Port Blocking
Resetting the port also restarts the service and the unit will use another random port within it's range (1024-25000). Many ISPs block traffic in the source port range of 1025-1030. The service will occasionally restart and randomly choose a new source port which could be in that blocked range.
The way to tell what the cause actually was is to switch the service back to port 53.
If it fails then something downstream is doing DNS compliance checking on that port and switch back to port 8888. If it does not fail then it was due to source port blocking.
In this case it is only a matter of time before it reoccurs and you should alter the source port that the unit uses for it's management traffic to prevent it from reoccurring.
#config sys global
#set ip-src-port-range 1035-25000
#end
