Troubleshooting Tip: Connection issues with the Fortinet Persistent Agent
Description
In certain cases, the Persistent Agent is not seen as connected on the FortiNAC and the Agent does not do anything on the computer.
This article describes how to fix this issue.
Solution
There are different approaches to fix this kind of problem.
Check the general connectivity to the client.
- Is the client responding to ICMP echo requests (ping)?
- Is that possible to telnet to the clients IP on port 4568?
- Is any traffic seen between the Agent and FortiNAC?
The connection and tests have to be executed from the FortiNAC CLI directly.
In this example the client IP is 172.16.31.48:
- Ping 172.16.31.48.
- Telnet 172.16.31.48 4568.
- Tcpdump ‘port 4568 and host 172.16.31.48’.
One common problem is that the firewall on the client is blocking the communication to the system.
Also the client will contact an incorrect address.
This can be verified in a packet capture on the client (for example Wireshark) and also with the registry path:
If the connectivity is achieved, check on the client whether the logs indicate issues.
The persistent Agent logs are located in C:\ProgramData\Bradford Networks\ and the general.txt file will give more information about what is happening.
- Restart the Persistent Agent or the workstation completely and check what the logs are reporting.
One common problem is the SSL connection between Agent and FortiNAC.
This is visible in the logs for example:
To fix this either, change the certificate to a certificate that is already trusted by the client or export the signing certificate (also known as issuing certificate) and import it on the client into the trusted root certificate authority store.
Related link to the agent discovery process:
https://docs.fortinet.com/document/fortinac/8.3.0/administration-guide/257361/agent-server-discovery
The following administration guide excerpt shows more information about the SSL portal settings where the certificates for encrypted communication are set:
https://docs.fortinet.com/document/fortinac/8.5.2/administration-guide/333502/portal-ssl
In certain cases, the Persistent Agent is not seen as connected on the FortiNAC and the Agent does not do anything on the computer.
This article describes how to fix this issue.
Solution
There are different approaches to fix this kind of problem.
Check the general connectivity to the client.
- Is the client responding to ICMP echo requests (ping)?
- Is that possible to telnet to the clients IP on port 4568?
- Is any traffic seen between the Agent and FortiNAC?
The connection and tests have to be executed from the FortiNAC CLI directly.
In this example the client IP is 172.16.31.48:
- Ping 172.16.31.48.
- Telnet 172.16.31.48 4568.
- Tcpdump ‘port 4568 and host 172.16.31.48’.
One common problem is that the firewall on the client is blocking the communication to the system.
Also the client will contact an incorrect address.
This can be verified in a packet capture on the client (for example Wireshark) and also with the registry path:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Bradford Networks\Persistent AgentThe 'homeServer' string holds the correct FQDN that is resolvable to the FortiNAC IP or it holds the IP of the FortiNAC directly.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Bradford Networks\Persistent Agent
If the connectivity is achieved, check on the client whether the logs indicate issues.
The persistent Agent logs are located in C:\ProgramData\Bradford Networks\ and the general.txt file will give more information about what is happening.
- Restart the Persistent Agent or the workstation completely and check what the logs are reporting.
One common problem is the SSL connection between Agent and FortiNAC.
This is visible in the logs for example:
2020-01-10 17:37:11 UTC :: SecureAgentTransportV1 constructor finishedThis issue is found when the Client does not trust the certificate that has been used to sign the 'Portal SSL' certificate configured on the FortiNAC GUI settings.
adding KeyExpiredListener
2020-01-10 17:37:11 UTC :: Server: fortinac.forti.lab, tcp: 4568, udp: 4567
2020-01-10 17:37:11 UTC :: Host = fortinac.forti.lab
2020-01-10 17:37:11 UTC :: SSL_get_verify_result = 0
2020-01-10 17:37:11 UTC :: SSL Certificate verification result: ok
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:22
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=lab, DC=forti, CN=fortilab
Validity
....
X509v3 CRL Distribution Points:
Full Name:
URI:ldap:///CN=fortilab,DC=forti,DC=lab?certificateRevocationList?base?objectClass=cRLDistributionPoint
Authority Information Access:
CA Issuers - URI:ldap:///CN=fortilab,DC=forti,DC=lab?cACertificate?base?objectClass=certificationAuthority
1.3.6.1.4.1.311.20.2:
...W.e.b.S.e.r.v.e.r
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
Signature Algorithm: sha256WithRSAEncryption
35:bc:bb:18:4f:0b:ef:e1:22:59:08:d2:aa:6d:92:fa:0c:e0:
6b:66:be:ef:b7:84:2a:64:be:9a:ca:fe:41:79:f2:18:3a:b4
2020-01-10 17:37:11 UTC :: peer CommonName = NAC-NEW
2020-01-10 17:37:11 UTC :: SAN: nac.forti.lab
2020-01-10 17:37:11 UTC :: Checking Peer name fortinac.forti.local against Common or Subject-alternative-name entry NAC-lab
2020-01-10 17:37:11 UTC :: Peer name "fortinac.forti.lab" doesn't match "NAC-lab"
2020-01-10 17:37:11 UTC :: Checking Peer name fortinac.forti.local against Common or Subject-alternative-name entry nac.forti.lab
2020-01-10 17:37:11 UTC :: Peer name "fortinac.forti.lab" doesn't match "nac.forti.lab"
2020-01-10 17:37:11 UTC :: Refusing to connect to trust_DISTRUSTED fortinac.forti.local|NAC-lab
2020-01-10 17:37:11 UTC :: Connection failed! 1
To fix this either, change the certificate to a certificate that is already trusted by the client or export the signing certificate (also known as issuing certificate) and import it on the client into the trusted root certificate authority store.
Related link to the agent discovery process:
https://docs.fortinet.com/document/fortinac/8.3.0/administration-guide/257361/agent-server-discovery
The following administration guide excerpt shows more information about the SSL portal settings where the certificates for encrypted communication are set:
https://docs.fortinet.com/document/fortinac/8.5.2/administration-guide/333502/portal-ssl
Related Articles