Troubleshooting of abnormal communication between FortiGate and fortiguard cloud

FortiGate After the firewall is connected to the network, there may be FortiGuard Abnormal cloud communication , The service cannot be updated normally .

Try going through the firewall first ping FortiGuard Cloud server
# execute ping service.fortiguard.net
# execute ping update.fortiguard.net

Enter the following command to debug, Will be displayed FortiGate Information exchanged between firewall and cloud ：
# diagnose debug reset
# diagnose debug application update -1
# diagnose debug enable
# fnsysctl killall updated
# execute update-now

If the debug log shows the following , It means FortiGate Can't be with FortiGuard Server setup TLS handshake , And you can see the following error message ：
# upd_daemon.c[323] do_update-Starting now UPDATE (final try)
# upd_act.c[275] __upd_act_update-Trying FDS 173.243.138.66:443 with AcceptDelta=0
# upd_comm.c[215] tcp_connect_fds-Proxy tunneling is disabled
# upd_comm.c[529] ssl_connect_fds-Poll event error:19
# upd_comm.c[618] upd_comm_connect_fds-Failed SSL connect

One of the possible reasons is WAN On the interface MTU Cause this problem . You can try to change the interface MTU Value may solve TLS Connection establishment problem . 
Change the of the interface MTU value , Please refer to the following command ：
# config system interface
# edit wan1
# set mtu-override enable
# set mtu 1462
# end

Re enter the previous Debug Command to view the latest interactive information ：
# diagnose debug reset
# diagnose debug application update -1
# diagnose debug enable
# fnsysctl killall updated
# execute update-now

You can see FortiGate It can be done with FortiGuard Normal interaction ：

do_setup[340]-Starting SETUP
upd_fds_load_default_server[924]-Addr=[173.243.141.6], weight=1104122476
upd_fds_load_default_server[941]-Resolve fds ip address OK.
upd_fds_load_default_server6[1046]-Resolve fds ipv6 address failed.
upd_comm_connect_fds[455]-Trying FDS 173.243.141.6:443
[267] __ssl_init: Done
[113] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[480] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
[486] ssl_ctx_use_builtin_store: Enable CRL checking.
[493] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
[755] ssl_ctx_create_new_ex: SSL CTX is created
[782] ssl_new: SSL object is created
[166] ssl_add_ftgd_hostname_check: Add hostname checking 'usupdate.fortinet.net'
[343] __ssl_crl_verify_cb: CRL not found. Depth 0
__upd_peer_vfy[330]-Server certificate OK.
__upd_peer_vfy[330]-Server certificate OK.
__upd_peer_vfy[330]-Server certificate OK.
__upd_peer_vfy[330]-Server certificate OK.
[383] __bio_mem_dump: OCSP status good
pack_obj[185]-Packing obj=Protocol=3.0|Command=VMSetup|Firmware=FGVMK6-FW-7.00-0157|SerialNumber=FGVM01TMYYYYYYYY|Connection=Internet|Address=z.z.z.z:0|Language=en-US|TimeZone=8|UpdateMethod=1|Uid=f2d7fc26af8a4b9c826f378ece503a01|VMPlatform=KVM
get_fcpr_response[297]-Unpacked obj: Protocol=3.0|Response=200|Firmware=FPT033-FW-6.8-0169|SerialNumber=FPT-FGT-DELL1004|Server=FDSG|Persistent=false|PEER_IP=x.x.x.x
get_fcpr_response[337]-Wan ip=[x.x.x.x]
upd_vm_cfg_set_status[235]-Saved status code 200
upd_comm_disconnect_fds[496]-Disconnecting FDS 173.243.141.6:443
[203] __ssl_data_ctx_free: Done
[1046] ssl_free: Done
[195] __ssl_cert_ctx_free: Done
[1056] ssl_ctx_free: Done
[1037] ssl_disconnect: Shutdown
do_setup[350]-SETUP successful