Troubleshooting Tip: Entitlements not applied after installing subscription license key
Description
This article describes the causes behind an issue where entitlements are not applied after installing a subscription license key.
Symptoms:
- License Information Dashboard panel displays BASE level license.
- 'licensetool -key EFFECTIVE' CLI command displays BASE level license.
Scope
FortiNAC version 8.x, 9.x, F7.x.
Solution
description supportLevelDescription expirationDate
__________________________ _______________________ ______________
Telephone Support 24x7 2027-04-08
FortiNAC VM FortiNAC Pro 2024-04-08
IoT Detection Web/Online 2027-04-08
Vulnerability Management Web/Online 2027-04-08
Firmware & General Updates Web/Online 2027-04-08
Enhanced Support 24x7 2027-04-08
COMP 24x7 2027-04-08
Effective Count=500
Effective Level=PRO
- FortiNAC polls fds1.fortinet.com using TCP port 443. Ensure this port is allowed outbound to the internet from eth0. Refer to the Open Ports section of the Deployment Guide.
- Ensure the appliance can resolve the name fds1.fortinet.com.
- Verify entitlements are applied once the poll is successful. Type the following:
EFFECTIVE:
serial = FNVMCATMxxxxxxxxx
type = NetworkControlApplicationServer
level = BASE
count = 0
expiration = 0
expired = false
mac = <MAC address>
uuid = <UUID>
certificates = [xxxxxxxxxxxxxxxxxxx, xxxxxxxxxxxxxxxxxxxxx]
- Verify the key has certificates: The poll function uses the serial number to look up entitlements. To apply the entitlements, there is a certificate included in the key that must be present. Possible certificate related causes:
Certificate is missing:
- Example: certificates = []
- See Troubleshooting Tip: Certificates not included in license keys.
Certificates in the Key are not complete:
- Example: certificates = [xxxxxxxxxxxxxxxxxxx, xxxxxxxxxxxxxxxx]. The certificate will not be validated and entitlements will not be applied.
- The license key content may have been truncated during license installation.
- Re-download the key from the customer portal and re-install using the Administration UI. For instructions, see License management in the Administration Guide.
If copying and pasting the key content, ensure all characters have been copied.
To avoid the risk of truncation, upload the text file itself.
serial = FN5HCATAxxxxxxxx
type = NetworkControlApplicationServer
level = BASE
count = 0
expiration = 0
expired = false
mac = xx:xx:xx:xx:xx:xx
uuid = 00000000-0000-0000-0000-000000000000
<- There should be a certificate line here.
Additional debugging.
- Enable debugging. Use the following commands:
CentOS:
nacdebug -name EntitlementServer true
nacdebug -logger yams.FCPClient -level FINEST
FortiNAC -OS:
diagnose debug logger set finest yams.FCPClient
- Poll for entitlements
CentOS:
entitlementstool -poll
FortiNAC-OS:
diagnose entitlements -debug
- Collect logs.
Version 8.x:
grab-log-snapshot
Versions 9.x/F7.x: Use the Download logs option in the UI. For instructions, see Download logs in the Administration Guide.
- Disable logging.
CentOS:
nacdebug -logger yams.FCPClient
nacdebug -name EntitlementServer false
FortiNAC-OS:
diagnose debug logger unset yams.FCPClient
- Open a support ticket and include the following:
- FortiNAC version:
- 8.x: Help -> About.
- 9.x/7.x: Dashboard (System Summary widget).
- Troubleshooting steps taken.
- Version 8.x: Resulting .gz file from step 3 (located in /tmp).
Related articles:
Technical Note: UI does not list serial number or license entitlements.