Description
This article explains troubleshooting steps for cases where FortiGate cannot connect to FortiGuard servers and does not have direct access to the internet.
Scope
FortiGate v5.4, v5.6, v6.0, v6.2, v6.4.
Solution
First, troubleshoot the connection with a debug log:
# diag debug application update -1
# diag debug enable
# exec update-now
Note the following output:
[357] __ssl_crl_verify_cb: Cert error 20, unable to get local issuer certificate. Depth 0
__upd_peer_vfy[331]-Server certificate failed verification. Error: 20 (unable to get local issuer certificate), depth: 0, subject: .
[967] ssl_connect: SSL_connect failes: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
ssl_connect_fds[389]-Failed SSL connecting (5,0,Success)
In the packet capture:
The issue is caused by another upstream unit (such as another FortiGate or 3rd party firewall) replacing the certificate of the connection. Because the replacement certificate is unknown to the local FortiGate, the SSL Handshake fails.
If the issue is caused by an upstream FortiGate, configure it to not perform a 'deep inspection' of the traffic going to the local FortiGate. Use a similar process if the problem is caused by a 3rd party unit.
- if you verify that there is no upstream unit or any device that is doing the inspection and still experiencing the issue. This might be happening because the certificate bundle is missing some Public certificates.
- It is possible to try to change the Fortiguard Port to 8888 and the protocol to UDP. This can only be done after disabling the anycast. Use the following commands
config system fortiguard
set fortiguard-anycast disable
set port 8888
set protocol udp
end
- The TLS negotiation should be successful after that.
Related Articles:
Technical Tip: Unable to load FortiGuard DDNS server list
Technical Tip: Unable to connect to FortiGuard servers
Technical Tip: FortiGuard is not reachable via Anycast default method
