DescriptionThis article provides troubleshooting steps in the case where a FortiGate cannot be accessed via HTTPs 443 port after an upgrade to 5.2.x
ScopeUpgrade to FortiGate v5.2.x
SolutionIn order to check why the unit cannot be accessed on https port 443 use debugging on https daemon
# diag debug application httpsd -1
# diag debug enable
# [httpsd 1551 - 1464100331] http_log.c[439] log_error_core -- [Tue May 24 14:32:11 2016] [error] SSL_accept failed
[httpsd 1551 - 1464100331] http_log.c[439] log_error_core -- [Tue May 24 14:32:11 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1550 - 1464100331] http_log.c[439] log_error_core -- [Tue May 24 14:32:11 2016] [error] SSL_accept failed
[httpsd 1550 - 1464100331] http_log.c[439] log_error_core -- [Tue May 24 14:32:11 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1551 - 1464100332] http_log.c[439] log_error_core -- [Tue May 24 14:32:12 2016] [error] SSL_accept failed
[httpsd 1551 - 1464100332] http_log.c[439] log_error_core -- [Tue May 24 14:32:12 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1550 - 1464100333] http_log.c[439] log_error_core -- [Tue May 24 14:32:13 2016] [error] SSL_accept failed
[httpsd 1550 - 1464100333] http_log.c[439] log_error_core -- [Tue May 24 14:32:13 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1551 - 1464100334] http_log.c[439] log_error_core -- [Tue May 24 14:32:14 2016] [error] SSL_accept failed
[httpsd 1551 - 1464100334] http_log.c[439] log_error_core -- [Tue May 24 14:32:14 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1550 - 1464100334] http_log.c[439] log_error_core -- [Tue May 24 14:32:14 2016] [error] SSL_accept failed
[httpsd 1550 - 1464100334] http_log.c[439] log_error_core -- [Tue May 24 14:32:14 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1551 - 1464100335] http_log.c[439] log_error_core -- [Tue May 24 14:32:15 2016] [error] SSL_accept failed
[httpsd 1551 - 1464100335] http_log.c[439] log_error_core -- [Tue May 24 14:32:15 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
If the output is similar to the example above then tlsv1-0 should be enabled.
A new global system parameter was added in FortiOS v5.2.3. This parameter, with the default setting, restricts access to TLS V 1.1 and TLS V 1.2 only.
New default setting with FortiOS release v5.2.3:
FGT-1 #
config system global
FGT-1
(global) # get
admin-concurrent : enable
admin-console-timeout: 0
admin-https-pki-required: disable
admin-https-redirect: disable
admin-https-ssl-versions: tlsv1-1 tlsv1-2 <---{ New default setting
admin-lockout-duration: 60
admin-lockout-threshold: 3
The available options for HTTPS SSL versions are TLS 1.0, TLS 1.1, TLS 1.2, and SSLV3.
The following command can be used to add tlsv1-0:
FGT-1 # config system global
FGT-1(global) # append admin-https-ssl-versions tlsv1-0
