Skip to main content
rzanella
rzanella
Explorer
October 1, 2024
Solved

Persistent agent don't comunicate to FortiNAC

  • October 1, 2024
  • 4 replies
  • 7032 views

Hi, I'm configuring my first FortiNAC.
I manually installed the Persistent agent on a test PC (OS Windows 11), according to the instructions found in https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Manually-install-and-configure-Persistent-Agent-on/ta-p/191164
It seems that the agent does not communicate with the Fortinac.
From the PC, telnet to eth1 fortinac on port 4568 is ok.
In the %ProgramData%\Bradford Networks folder I do not find any log files. As suggested I reinstalled the client but without success.

 

Icon of Persistent agent say: Network access normal. PC is viewed as rogue.

 

Could you help me?

 

Thanks in advance.

Best answer by AEK

On the client, regedit, go the the following path:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Bradford Networks\Persistent Agent

Does the value homeServer is the same as FortiNAC server FQDN or IP?

And is the certificate that you installed in FortiNAC server for agent communication has CN the same as the value defined in the above homeServer key?

4 replies

ebilcari
Staff
ebilcari
Staff
October 1, 2024

Which agent version are you installing and does the user have admin rights in windows? Having an empty log folder seems like the service is not running with the appropriate permissions, is the Service in running state?

Emirjon
    rzanella
    rzanellaAuthor
    Explorer
    October 1, 2024

    Hi,

    agent version is 9.4.0.93. It was installed used local user with administrative rights.  And the service is in running state.  

      ebilcari
      Staff
      ebilcari
      Staff
      October 1, 2024

      There have been no similar issues reported for this agent version. You can try to install one of the recent version of PA to see if there is a difference.

      • agent-9.4.1.98.jar 2023-03-23
      • agent-9.4.2.99.jar 2023-08-23
      • agent-9.4.3.100.jar 2023-09-29
      • agent-9.4.4.105.jar 2024-04-08

      Also check if there is any installed antivirus that may prevent the service from running.

      Emirjon
        AEK
        SuperUser
        AEK
        SuperUser
        October 2, 2024

        Hello

        You can also check the following.

        • On FNAC server using tcpdump, check if you are receiving traffic on port 4568 from the agent
        • On FNAC server, check if you installed a certificate (for agent communication) signed from your CA which is trusted from your client
        AEK
          rzanella
          rzanellaAuthor
          Explorer
          October 2, 2024

          Hi,
          On the FNAC server I gave the command tcpdump -i eth1 port 4568.
          On the PC I first restarted the service and then the PC itself without seeing anything.
          From the PC I then telnetted to port 4568 and the session was successful.

          > tcpdump -i eth1 port 4568
          tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
          listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
          15:13:23.299346 IP prcp19-111.mydomain.com.63586 > isolation.mydomain.com.bmc-reporting: Flags [S], seq 837294100, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
          15:13:23.299380 IP isolation.mydomain.com.bmc-reporting > prcp19-111.mydomain.com.63586: Flags [S.], seq 2322422253, ack 837294101, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
          15:13:23.300158 IP prcp19-111.mydomain.com.63586 > isolation.mydomain.com.bmc-reporting: Flags [.], ack 1, win 1026, length 0
          15:13:43.760751 IP prcp19-111.mydomain.com.63586 > isolation.mydomain.com.bmc-reporting: Flags [P.], seq 1:2, ack 1, win 1026, length 1
          15:13:43.760785 IP isolation.mydomain.com.bmc-reporting > prcp19-111.mydomain.com.63586: Flags [.], ack 2, win 229, length 0
          15:13:44.930021 IP prcp19-111.mydomain.com.63586 > isolation.mydomain.com.bmc-reporting: Flags [P.], seq 2:4, ack 1, win 1026, length 2
          15:13:44.930045 IP isolation.mydomain.com.bmc-reporting > prcp19-111.mydomain.com.63586: Flags [.], ack 4, win 229, length 0
          15:13:45.117340 IP prcp19-111.mydomain.com.63586 > isolation.mydomain.com.bmc-reporting: Flags [P.], seq 4:6, ack 1, win 1026, length 2
          15:13:45.117362 IP isolation.mydomain.com.bmc-reporting > prcp19-111.mydomain.com.63586: Flags [.], ack 6, win 229, length 0
          15:13:45.117832 IP isolation.mydomain.com.bmc-reporting > prcp19-111.mydomain.com.63586: Flags [F.], seq 1, ack 6, win 229, length 0
          15:13:45.119538 IP prcp19-111.mydomain.com.63586 > isolation.mydomain.com.bmc-reporting: Flags [.], ack 2, win 1026, length 0
          15:13:45.119968 IP prcp19-111.mydomain.com.63586 > isolation.mydomain.com.bmc-reporting: Flags [F.], seq 6, ack 2, win 1026, length 0
          15:13:45.119980 IP isolation.mydomain.com.bmc-reporting > prcp19-111.mydomain.com.63586: Flags [.], ack 7, win 229, length 0

          fonilgo2
          fonilgo2
          New Member
          October 2, 2024

          FortiNaC is great but if you're an MSP, be prepared to hire or contract some specifically for the deployment and support. It's very granular and there is no "one size fits all". It's a product I have in my test lab for over a year and still have not fully mastered it's deployment in a streamline fashion.

          ndumaj
          Staff
          ndumaj
          Staff
          October 7, 2024

          Hello,

          Persistent agent Guide should help you is really detailed for diverse scenarios persistent agent deployment 

          BR

          Terms & ConditionsAccessibility statement