Skip to main content
dupcu
dupcu
Visitor III
June 4, 2024
Solved

VM Fortimanager Spoke Probe Failed

  • June 4, 2024
  • 2 replies
  • 3040 views

Hi,

 

I get errors when I want to add a device to Fortimanager.
The devices are on the same network and have icmp access to each other. All outputs are as follows. Why am I getting errors, can you help me?

 

sniffer.png

 

error1.pngerror2.png

Manager # Request [dvm/cmd:dvm/cmd/discover/device ...:5825:2]: { "client": "dvm\/cmd:dvm\/cmd\/discover\/device ...:5825", "id": 2, "method": "exec", "params": [{ "data": { "host": "192.168.1.17", "passwd": "******", "usr": "admin"}, "target start": 1, "url": "probe\/device"}], "root": "deployment", "session": -1} Chkperm Response [dvm/cmd:dvm/cmd/discover/device ...:5825:2]: { "id": 2, "result": [{ "status": { "code": 0, "message": "OK"}, "url": "probe\/device"}], "session": -1} start_dmsvc_probe_device,788: dev_oid=0, host=192.168.1.17, flags=0x0 __enter_state,440: dev_oid=0, start check_reachable Start probe_dev.check_reachable ...  __on_state,446: dev_oid=0, check_reachable, done, events=16 r=0 __enter_state,440: dev_oid=0, start start_probe_session Request [dmserver:885:8]: { "client": "dmserver:885", "id": 8, "method": "exec", "params": [{ "data": { "detect_only": 0, "force_probe": 0, "ip": "192.168.1.17", "passwd": "******", "usr": "admin"}, "url": "start\/probe\/session"}], "root": "fgfm"} Start probe_dev.start_probe_session ...  Response [unknown]: { "id": 8, "result": [{ "status": { "code": 1, "message": "internal error"}, "url": "start\/probe\/session"}]} __on_state,446: dev_oid=0, start_probe_session, done, events=8 r=0 __fgfm_cb,619: error: probe_status=1, proto=1 __p_o_cleanup,548: cleanup... __p_finish,539: status=-15, has_devinfo=0 Response [dvm/cmd:dvm/cmd/discover/device ...:5825:2]: { "id": 2, "result": [{ "status": { "code": -35007, "message": "Fgfm protocol error"}, "url": "probe\/device"}]} __o_cleanup,119: fgfm probe cleanup... Request [dvm/cmd:dvm/cmd/discover/device ...:5966:2]: { "client": "dvm\/cmd:dvm\/cmd\/discover\/device ...:5966", "id": 2, "method": "exec", "params": [{ "data": { "host": "192.168.1.17", "passwd": "******", "usr": "admin"}, "target start": 1, "url": "probe\/device"}], "root": "deployment", "session": -1} Chkperm Response [dvm/cmd:dvm/cmd/discover/device ...:5966:2]: { "id": 2, "result": [{ "status": { "code": 0, "message": "OK"}, "url": "probe\/device"}], "session": -1} start_dmsvc_probe_device,788: dev_oid=0, host=192.168.1.17, flags=0x0 __enter_state,440: dev_oid=0, start check_reachable Start probe_dev.check_reachable ...  __on_state,446: dev_oid=0, check_reachable, done, events=16 r=0 __enter_state,440: dev_oid=0, start start_probe_session Request [dmserver:885:9]: { "client": "dmserver:885", "id": 9, "method": "exec", "params": [{ "data": { "detect_only": 0, "force_probe": 0, "ip": "192.168.1.17", "passwd": "******", "usr": "admin"}, "url": "start\/probe\/session"}], "root": "fgfm"} Start probe_dev.start_probe_session ...  Response [unknown]: { "id": 9, "result": [{ "status": { "code": 1, "message": "internal error"}, "url": "start\/probe\/session"}]} __on_state,446: dev_oid=0, start_probe_session, done, events=8 r=0 __fgfm_cb,619: error: probe_status=1, proto=1 __p_o_cleanup,548: cleanup... __p_finish,539: status=-15, has_devinfo=0 Response [dvm/cmd:dvm/cmd/discover/device ...:5966:2]: { "id": 2, "result": [{ "status": { "code": -35007, "message": "Fgfm protocol error"}, "url": "probe\/device"}]} __o_cleanup,119: fgfm probe cleanup...

 

Regards,

Umit.

Best answer by smkml

Hi Umit,

 

If your FMG CLI able to enable the configuration below please enabled it.
#config system global

#set fgfm-peercert-withoutsn enable

 

While adding the device from FMG, in your FGT CLI, please run the command below:

#exec central-mgmt register-device <FMG S/N> <password>
 

2 replies

jiahoong112
Staff
jiahoong112
Staff
June 4, 2024

To start off, please follow this troubleshooting guide for Fortigate-FortiManager connections: https://community.fortinet.com/t5/FortiManager/Troubleshooting-Tip-How-to-troubleshoot-connectivity-issues/ta-p/192593 

From your sniffer packet snippet, I can see that the traffic from Fortigate is egressing port1. Assuming that port1 is the interface that you reach FortiManager with, please ensure that you have 'FMG-Access' enabled in the port configuration's Administrative Access. 

    dupcu
    dupcuAuthor
    Visitor III
    June 4, 2024

    Hi,

     

    The outputs are as follows.

    the problem persists.

    ------------------------------------------------------------

     

    Spokee # execute telnet 192.168.1.18 541 Trying 192.168.1.18... Connected to 192.168.1.18.   Spokee # diagnose fdsm central-mgmt-status Connection status: Down Registration status: Unknown Serial:   Spokee # 20  2024-06-04 10:55:22 FGFMs: client:send: get ip serialno=FGVMEVN7VT1RL55D mgmtid=757398627 platform=FortiGate-VM64 fos_ver=700 minor=0 patch=15 build=632 branch=632 maxvdom=1 fg_ip=192.168.1.17 hostname=Spokee harddisk=yes biover=04000002 harddisk_size=30720 logdisk_size=30235 mgmt_mode=normal enc_flags=0 first_fmgid=     probe_mode=yes vdom=root intf=port1   2024-06-04 10:55:22 FGFMs: serial no FMG-VMTM24008871 saved to FMG detect file 2024-06-04 10:55:23 FGFMs: Cleanup session 0xffceab0, 192.168.1.18. 2024-06-04 10:55:23 FGFMs: Destroy session 0xffceab0, 192.168.1.18. 2024-06-04 10:55:23 FGFMs: Create session 0xffceab0. 2024-06-04 10:55:23 FGFMs: setting session 0xffceab0 exclusive=0 2024-06-04 10:55:23 FGFMs: Connect to 192.168.1.18:541, local 192.168.1.17:1410. 2024-06-04 10:55:23 FGFMs: set_fgfm_sni SNI<support.fortinet-ca2.fortinet.com> 2024-06-04 10:55:23 FGFMs: Load Cipher [ALL:!RC4:!EXPORT:@STRENGTH] 2024-06-04 10:55:23 FGFMs: Cleanup session 0xffceab0, 192.168.1.18. 2024-06-04 10:55:23 FGFMs: Destroy session 0xffceab0, 192.168.1.18. 2024-06-04 10:55:23 FGFMs: __detect_fmg_create: start a new detect request(192.168.1.18) 2024-06-04 10:55:23 FGFMs: Create session 0xffcafe0. 2024-06-04 10:55:23 FGFMs: setting session 0xffcafe0 exclusive=0 2024-06-04 10:55:23 FGFMs: Connect to 192.168.1.18:541, local 192.168.1.17:6215. 2024-06-04 10:55:23 FGFMs: set_fgfm_sni SNI<support.fortinet-ca2.fortinet.com> 2024-06-04 10:55:23 FGFMs: Load Cipher [ALL:!RC4:!EXPORT:@STRENGTH] 2024-06-04 10:55:23 FGFMs: __handle_detect_fmg_req: detect session doesn't exist, start a new one 2024-06-04 10:55:23 FGFMs: before SSL initialization 2024-06-04 10:55:23 FGFMs:       CA to broadcast: subject fortinet-subca2003, issuer fortinet-ca2 2024-06-04 10:55:23 FGFMs:       CA to broadcast: subject support, issuer support 2024-06-04 10:55:23 FGFMs:       CA to broadcast: subject fortinet-ca2, issuer fortinet-ca2 2024-06-04 10:55:23 FGFMs:       CA to broadcast: subject fortinet-subca2001, issuer fortinet-ca2     2024-06-04 10:55:23 FGFMs: Broadcast 4 CA subject names to FMG 2024-06-04 10:55:23 FGFMs: SSLv3/TLS write client hello 2024-06-04 10:55:23 FGFMs: [__get_error:1052] error=5, errno=104,Connection reset by peer. 2024-06-04 10:55:24 FGFMs: Cleanup session 0xffcafe0, 192.168.1.18. 2024-06-04 10:55:24 FGFMs: Destroy session 0xffcafe0, 192.168.1.18. 2024-06-04 10:55:25 FGFMs: __detect_fmg_destroy_internal: send detect fmg resp for 192.168.1.18 to client 2024-06-04 10:55:25 FGFMs: __send_detect_fmg_response: sending detect fmg response to client succeeded 2024-06-04 10:55:25 FGFMs: __remove_detect_fmg: Removing detect fmg service 2024-06-04 10:55:25 FGFMs: Destroy stream_svr_obj

     

    manager.pngspoke fmg.pngspoke.png

    smkml
    Staff
    smkmlAnswer
    Staff
    June 5, 2024

    Hi Umit,

     

    If your FMG CLI able to enable the configuration below please enabled it.
    #config system global

    #set fgfm-peercert-withoutsn enable

     

    While adding the device from FMG, in your FGT CLI, please run the command below:

    #exec central-mgmt register-device <FMG S/N> <password>
     

      dupcu
      dupcuAuthor
      Visitor III
      June 6, 2024

      Hi,

      Thank you for your help.
      The set fgfm-peercert-withoutsn enable command solved my problem.

        Terms & ConditionsAccessibility statement