The issue appears when UTM is enabled on the FortiGate Firewall.
Troubleshooting
Procedure
To check your network connectivity to vCloud Usage Insight, do the following:
- SSH connect to your Usage Meter appliance as usagemeter and run the following command:
curl -v https://ums.cloud.vmware.com/um/api/ping
You should receive the following response:
"Connected to ums.cloud.vmware.com (xx.xxx.xxx.xxx) port 443 (#0)".
- Run the following Open SSL command and check if it fetches the correct certificate chain for ums.cloud.vmware.com.
openssl s_client -connect ums.cloud.vmware.com:443 -servername ums.cloud.vmware.com
Below is a sample excluding the certificate details:
CONNECTED(00000003)
depth=2 C = US, O = "XXXX, Inc.", OU = See www.xxxx.net/legal-terms, OU = "(c) 2009 xxxx, Inc. - for authorized use only", CN = xxxx Root Certification Authority - G2
verify return:1
depth=1 C = US, O = "XXXX, Inc.", OU = See www.xxxx.net/legal-terms, OU = "(c) 2012 xxxx, Inc. - for authorized use only", CN = xxxx Certification Authority - L1K
verify return:1
depth=0 C = US, ST = California, L = Palo Alto, O = "VMware, Inc", CN = ums.cloud.vmware.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Palo Alto/O=VMware, Inc/CN=ums.cloud.vmware.com
i:/C=US/O=xxxx, Inc./OU=See www.xxxx.net/legal-terms/OU=(c) 2012 xxxx, Inc. - for authorized use only/CN=xxxx Certification Authority - L1K
1 s:/C=US/O=xxxx, Inc./OU=See www.xxxx.net/legal-terms/OU=(c) 2012 xxxx, Inc. - for authorized use only/CN=xxxx Certification Authority - L1K
i:/C=US/O=xxxx, Inc./OU=See www.xxxx.net/legal-terms/OU=(c) 2009 xxxx, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
2 s:/C=US/O=xxxx, Inc./OU=See www.xxxx.net/legal-terms/OU=(c) 2009 xxxx, Inc. - for authorized use only/CN=xxxx Root Certification Authority - G2
i:/C=US/O=xxxx, Inc./OU=See www.xxxx.net/legal-terms/OU=(c) 2009 xxxx, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
- Run the following command and check if it shows the nslookup details as below:
nslookup ums.cloud.vmware.com
Server: 127.0.0.xx
Address: 127.0.0.xx#53Non-authoritative answer:
ums.cloud.vmware.com canonical name