Troubleshooting Tip: Collecting logs for effective ZTNA connection failure troubleshooting

When engaging with technical support, it is critical to provide all the necessary logs to increase the speed and effectiveness of the troubleshooting process. This article attempts to provide step by step instructions on what logs to collect and how to collect them across multiple products involved in the ZTNA connection process.

Note: The following steps apply to ZTNA connection failures and specifically to TCP Access Forwarding Proxy (TFAP) connections. They do not apply to connections issues over IP/MAC based access control.

FortiClient.

Step 1 - Enable debug logging and collect configuration file.

Complete steps 1 and 2 from the following article - Troubleshooting Tip: Collecting logs for addressing VPN connection issues - to enable debug logging and collect FortiClient configuration file for further review.

FortiClient EMS.

Step 2 - Enable debug log level.

In FortiClient EMS, navigate to System Settings -> Log Settings. Switch the Log level to Debug.

FortiGate.

Step 3 - Collect FortiGate configuration file.

Make sure to collect FortiGate backup file for configuration review. See step 3 in the following article - Troubleshooting Tip: Collecting logs for addressing VPN connection issues.

Step 4 - Gather CLI diagnostics.

Run the following commands on FortiGate prior to making ZTNA connection.

diagnose debug reset
diagnose debug console timestamp enable
diagnose debug app fcnacd -1
diagnose endpoint filter show-large-data yes
diagnose wad filter clear
diagnose wad filter src X.X.X.X <----- X.X.X.X public IP-address of the endpoint.
diagnose wad debug enable category all
diagnose wad debug enable level verbose
diagnose debug enable

Step 5 - Reproduce the issue.

Reproduce the issue by attempting to make a ZTNA connection from FortiClient.

Step 6 - Gather the logs.

Once the issue has been reproduced, collect CLI output on FortiGate.

Related document: How to read FortiGate WAD debugs for ZTNA troubleshooting.

Collect FortiClient diagnostics.

Retrieve EMS diagnostics from under Administration -> Generate Diagnostics Logs. 

Step 7 - Attach the logs to a support ticket.

In total, five files are expected:

• (x2) FortiClient and FortiGate backup files.
• (x3) FortiClient, EMS, and FortiGate CLI diagnostics.

Additional notes:

Commonly, FortiClient presents a browser message when ZTNA fails to connect which may be helpful in understanding and troubleshooting the issue. If it's the case, make sure to take a screenshot and share with the technical support. Refer to the Technical Tip: Using ZTNA error code messages to diagnose ZTNA connection failures article for more details on how to approach ZTNA troubleshooting based on the FortiClient error codes.

FortiGate ZTNA troubleshooting commands can be found in ZTNA troubleshooting and debugging commands.