0
点赞
收藏
分享

微信扫一扫

FortiGate与FortiGuard云端通讯异常排查

得一道人 2022-02-16 阅读 44


FortiGate防火墙联网后可能出现与FortiGuard云端通讯异常,导致无法正常更新服务的情况。

先尝试通过防火墙ping FortiGuard云端服务器

# execute ping service.fortiguard.net

# execute ping update.fortiguard.net

输入以下命令进行debug,会显示FortiGate防火墙与云端交互的信息:

# diagnose debug reset

# diagnose debug application update -1

# diagnose debug enable

# fnsysctl killall updated

# execute update-now

如果调试日志显示以下内容,则表明FortiGate无法与FortiGuard服务器建立TLS握手,并且可以看到以下错误消息:

# upd_daemon.c[323] do_update-Starting now UPDATE (final try)

# upd_act.c[275] __upd_act_update-Trying FDS 173.243.138.66:443 with AcceptDelta=0

# upd_comm.c[215] tcp_connect_fds-Proxy tunneling is disabled

# upd_comm.c[529] ssl_connect_fds-Poll event error:19

# upd_comm.c[618] upd_comm_connect_fds-Failed SSL connect

可能的原因之一是WAN接口上的MTU导致此问题。可以尝试通过更改接口MTU值可能会解决TLS连接建立问题。 

更改接口的MTU值,请参考以下命令:

# config system interface

# edit wan1

# set mtu-override enable

# set mtu 1462

# end

重新输入前面的Debug命令查看最新的交互信息:

# diagnose debug reset

# diagnose debug application update -1

# diagnose debug enable

# fnsysctl killall updated

# execute update-now

可以看到FortiGate可以与FortiGuard正常交互:

do_setup[340]-Starting SETUP

upd_fds_load_default_server[924]-Addr=[173.243.141.6], weight=1104122476

upd_fds_load_default_server[941]-Resolve fds ip address OK.

upd_fds_load_default_server6[1046]-Resolve fds ipv6 address failed.

upd_comm_connect_fds[455]-Trying FDS 173.243.141.6:443

[267] __ssl_init: Done

[113] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)

[480] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs

[486] ssl_ctx_use_builtin_store: Enable CRL checking.

[493] ssl_ctx_use_builtin_store: Enable OCSP Stapling.

[755] ssl_ctx_create_new_ex: SSL CTX is created

[782] ssl_new: SSL object is created

[166] ssl_add_ftgd_hostname_check: Add hostname checking 'usupdate.fortinet.net'

[343] __ssl_crl_verify_cb: CRL not found. Depth 0

__upd_peer_vfy[330]-Server certificate OK.

__upd_peer_vfy[330]-Server certificate OK.

__upd_peer_vfy[330]-Server certificate OK.

__upd_peer_vfy[330]-Server certificate OK.

[383] __bio_mem_dump: OCSP status good

pack_obj[185]-Packing obj=Protocol=3.0|Command=VMSetup|Firmware=FGVMK6-FW-7.00-0157|SerialNumber=FGVM01TMYYYYYYYY|Connection=Internet|Address=z.z.z.z:0|Language=en-US|TimeZone=8|UpdateMethod=1|Uid=f2d7fc26af8a4b9c826f378ece503a01|VMPlatform=KVM

get_fcpr_response[297]-Unpacked obj: Protocol=3.0|Response=200|Firmware=FPT033-FW-6.8-0169|SerialNumber=FPT-FGT-DELL1004|Server=FDSG|Persistent=false|PEER_IP=x.x.x.x

get_fcpr_response[337]-Wan ip=[x.x.x.x]

upd_vm_cfg_set_status[235]-Saved status code 200

upd_comm_disconnect_fds[496]-Disconnecting FDS 173.243.141.6:443

[203] __ssl_data_ctx_free: Done

[1046] ssl_free: Done

[195] __ssl_cert_ctx_free: Done

[1056] ssl_ctx_free: Done

[1037] ssl_disconnect: Shutdown

do_setup[350]-SETUP successful



举报

相关推荐

0 条评论