Skip to main content
Sadhi_Jayz
Sadhi_Jayz
Explorer
June 17, 2025
Solved

ZTNA Policy Denied: Error Code: 066 - No Device Info Found

  • June 17, 2025
  • 1 reply
  • 2292 views

 

Hi Fortinet Community,

 

I'm currently using FortiClient EMS 7.4 and FortiGate running FortiOS 7.4. When I try to access a server located in the DMZ using ZTNA access policies with ZTNA tags, I receive the following error:

 

FCEMS.drawio.png

 

x.png

Despite this, everything seems fine on the FortiGate side:

  1. The ZTNA tags are successfully synced from EMS.
  2. The relevant endpoint appears under the correct tag in the FortiGate.
  3. Running diagnostics shows that the endpoint is recognized and tagged appropriately.
  4. "diagnose endpoint ec-shm list" command correctly shows the endpoint info.

Screenshot (106).png

I can't identify where the issue is happening—whether it's on the client, EMS, or FortiGate.

 

Has anyone encountered this issue or have suggestions on what else I should check?

 

Appreciate any help or guidance from the community!

 

Thanks.

Best answer by Sadhi_Jayz

Hi @atakannatak ,

 

I have identified the issue.

 

Untitled.png

 

I had previously installed a custom EMS CA certificate (ZTNA). After removing it and reverting to the default certificate, ZTNA access started working as expected.

 

Best regards.

Sadhi

1 reply

atakannatak
atakannatak
Explorer
June 18, 2025

Hi @Sadhi_Jayz ,

 

Error 066 (“No device information found”) indicates the FortiGate did not receive the endpoint-identity header from FortiClient, so it cannot match the HTTPS request to a device record and therefore denies the ZTNA policy. The FortiClient agent is not injecting the header—most often because the ZTNA connection rule (FQDN/port) does not match the URL the user is accessing, the ZTNA certificate pairing is broken, or the client is not in a “ZTNA Connected” state.

 

https://docs.fortinet.com/document/fortigate/7.6.0/ztna-reference-guide/25473/error-codes-and-replacement-messages

 

The following debug commands can be used to further more analysis:

 

  • diagnose endpoint record list <client-IP>

 

To see if the device record or tag updates arrive run real-time fcnacd debugs:

 

  • diagnose debug application fcnacd -1
  • diagnose debug enable

 

Troubleshoot WAD in real time to see how the proxy handles client requests:

 

  • diagnose wad debug enable category all
  • diagnose wad debug enable level verbose
  • diagnose debug enable

 

Once we have the captured output, we can trace exactly how wad handled each request and pinpoint the root cause.

 

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

 

CCIE #68781

    Sadhi_Jayz
    Sadhi_JayzAuthorAnswer
    Explorer
    June 19, 2025

    Hi @atakannatak ,

     

    I have identified the issue.

     

    Untitled.png

     

    I had previously installed a custom EMS CA certificate (ZTNA). After removing it and reverting to the default certificate, ZTNA access started working as expected.

     

    Best regards.

    Sadhi

    Terms & ConditionsAccessibility statement