Troubleshooting Tip: Appliance domain in Allowed Domains List causes inconsistent agent communication

Description

This article explains the causes behind an issue where inconsistent agent communication occurs due to an appliance domain existing in the allowed domains list.

Scope

All supported versions of FortiNAC.

Solution

If a domain entry in the Allowed Domains List matches that of the appliance FQDN, asymmetric routing may occur. The agent may successfully communicate with the appliance from the production network, but not from the restricted network.

Example scenario:
FQDN of FortiNAC server: fortinac-app.fortinet.com
Allowed domain: fortinet.com

Workflow:
1) The Agent in restricted VLAN sends DNS query for the appliance name.
2) Since the domain is in the Allowed Domains List, the request is forwarded to the production DNS server.  
3) The name is resolved to the eth0 IP Address.  
4) The Agent attempts communication using the eth0 IP address.

Sometimes the Persistent Agent logs shows successful communication, but FortiNAC shows the host status marked at Risk while PA shows the thunder strike:

Upon trying to scan or send messages to the host, the following error appears:

Error scanning host 'DESKTOP' Failed to find live (online+communicating) adapter in HostRecord. HRDBID:7580. Try Again In 10 Minutes. Wed Dec 22 12:29:20 GST 2022
or:
Error sending message host 'DESKTOP' Failed to find live (online+communicating) adapter in HostRecord. HRDBID:7580. Try Again In 10 Minutes. Wed Dec 22 12:29:41 GST 2022

To fix this, delete the domain from the Allowed Domains list. For instructions, see Allowed domains in the Administration Guide.

Related Articles

Technical Note: Asymmetrically routed packets are discarded with newer appliances