Troubleshooting Tip: Troubleshooting syslog for FortiGate VPN integrations

This article describes the steps to use to verify the appliance is receiving and processing syslog in FortiGate VPN integrations.

For integration details, see FortiGate VPN Integration reference manual in the Document Library.

1. Review FortiGate configuration to verify Syslog messages are configured properly.
   
   
2. Using tcpdump, confirm syslog messages are reaching the appliance when client connects. In the appliance CLI, run the following command:

tcpdump -nni eth0 host <FortiGate IP modeled in Inventory> and port 514

(Press Ctrl-C to stop it.)

If syslog messages are not being received:

• Confirm source-ip is configured correctly on the FortiGate.  See KB article 193368.
• Confirm UDP 514 is not being blocked in the network.

3. If syslog is reaching the appliance, enable debugs (written to /bsc/logs/output.master):

nacdebug -name FortinetVPN true
nacdebug -name SyslogServer true
tf /bsc/logs/output.master | grep -i "UserName"

4. Have the client connect.

5. Review output.master for syslog messaging that provides User ID, assigned endstation VPN IP address, and session information.

Example of syslog output for a VPN login:

• User ID (user): test
• VPN IP (tunnelip): 172.16.196.10
• Session information: subtype='vpn', action='tunnel-up'

yams.SyslogServer FINER :: 2021-11-10 15:53:31:067 :: SyslogServer received: 10.12.240.5 <190>date=2021-11-10 time=16:53:30 devname="FGT-Core" devid="FG81EPTK18005296" eventtime=1636577610467479916 tz="-0500" logid="0101039947" type="event" subtype="vpn" level="information" vd="root" logdesc="SSL VPN tunnel up" action="tunnel-up" tunneltype="ssl-tunnel" tunnelid=733830834 remip=10.12.102.18 tunnelip=172.16.196.10 user="test" group="Radius Servers" dst_host="N/A" reason="tunnel established" msg="SSL tunnel established"

Key information in other syslog messages received:

subtype=”vpn”
action =”tunnel-up”
action ="tunnel-down"
action =”delete_phase1_sa"
action ="negotiate"

Note: Syslog messages with actions other than the above are dropped with message 'FortinetVpnPlugin.VPNSyslogListener failed to parse'.

6. Review output.master for messaging that indicates syslog information was processed.

Example of FortinetVPNdebug successful output:

yams INFO :: 2021-11-10 15:53:31:080 :: parseStr parsed FG81EPTK18005296 <-- FortiGate ID
yams INFO :: 2021-11-10 15:53:31:080 :: parseStr parsed 0101039947 <----- logID.
yams INFO :: 2021-11-10 15:53:31:080 :: parseStr parsed root <----- VDOM.
yams INFO :: 2021-11-10 15:53:31:080 :: parseStr parsed ssl-tunnel
yams INFO :: 2021-11-10 15:53:31:080 :: parseStr parsed 7
yams INFO :: 2021-11-10 15:53:31:080 :: parseStr parsed 10.12.102.18
yams INFO :: 2021-11-10 15:53:31:080 :: parseStr parsed 172.16.196.10 <----- endstation VPN IP.
yams INFO :: 2021-11-10 15:53:31:080 :: parseStr parsed test <----- User ID.

7. Once troubleshooting is complete, disable debugging:

nacdebug –name FortinetVPN false
nacdebug –name SyslogServer false

Related articles: 

• Technical Tip: A simple network example of deploying VPN management with FortiGate 
• Troubleshooting Tip: Troubleshooting FortiGate VPN integrations managed by FortiNAC 

Contact Support for further assistance. Open a support ticket and provide the following:

• Software version (x.x.x.x).
• FortiGate version.
• Detailed description of behavior.
• Troubleshooting steps taken.
• IP address and username of test client.
• Timeframe behavior was reproduced.
• System logs (for instructions, see Technical Tip: How to get a debug log report from FortiNAC-CA or FortiNAC-Manager).