Description | This article describes how to resolve Queued logs on a FortiAnalyzer VM due to a wrong license for FortiAnalyzer on the FortiGate. |
Scope | FortiAnalyzer VM. |
Solution |
Note: In some scenarios, the output of the command above may show the serial of FortiAnalyzer as 'FAZ-VM000000001'
In the CLI:
Check the Cached logs before and after applying the license as below:
Advanced commands to check connectivity:
Analyzing OFTPD application debugging on the FortiAnalyzer:
diagnose debug application oftpd 8 10.109.52.211 -> FGT- IP Address oftpd debug filter: ip==10.109.52.211
diagnose debug enable
After, select Test Connectivity under the Log Setting of the FortiGate GUI, or run the command 'diag log test' from the FGT CLI. The user should see packets received and sent from both devices.
A successful attempt will display 'Login Request' messages:
[OFTP_try_accept_SSL_connection:1705 10.109.52.211] SSL_accept one client SUCCESS [ protocol : (772) TLS 1.3 ] [OFTP_try_accept_SSL_connection:1734 10.109.52.211] SSL socket[24] pid[975] ssl[0x7f4e5c085010] SSL_accepted [OFTP_recv_SSL_packet:1779 10.109.52.211] SSL socket[24] pid[975] ssl[0x7f4e5c085010] received [12] bytes: [OFTP_recv_SSL_packet:1779 10.109.52.211] SSL socket[24] pid[975] ssl[0x7f4e5c085010] received [474] bytes: [oftpd_handle_session:3613 10.109.52.211] handle LOGIN_REQUEST_LEGACY (2) [_login_get_other_opt:2521 10.109.52.211] host = 'FGT-Wempy_30' [_login_get_other_opt:2550 10.109.52.211] Version: FortiGate-VM64 v6.4.7,build1911,210825 (GA) Virus-DB: 89.07394(2021-12-02 04:20) IPS-DB: 6.00741(2015-12-01 02:30) APP-DB: 18.00199(2021-11-18 01:19) Industrial-DB: 18.00197(2021-11-16 01:27) Serial-Number: FGVM01TM21001063 Virtual domain configuration: disable Current HA mode: standalone Current HA group: [__fill_dev_ext_info:559 10.109.52.211] ha_group_name:, ha_mode:0. [_login_get_other_opt:2526 10.109.52.211] vdom = 1 [OFTP_send_SSL_packet:1839 FGVM01TM21001063] SSL socket[24] pid[975] ssl[0x7f4e5c085010] sent [24] bytes: [_login_send_ack:2631 FGVM01TM21001063] login succeed [OFTP_recv_SSL_packet:1779 FGVM01TM21001063] SSL socket[24] pid[975] ssl[0x7f4e5c085010] received [12] bytes:
In the FortiGate CLI:
It is recommended to enable the following command to see the Keepalives being sent to the FortiAnalyzer:
diagnose debug application miglogd 6 Debug messages will be on for 3 minutes.
diagnose debug enable
<239> _build_keep_alive_usage_pkt()-718: Pushed keepalive packet to queue for global-faz. <171> _build_keep_alive_usage_pkt()-718: Pushed keepalive packet to queue for global-faz. <239> _build_keep_alive_usage_pkt()-718: Pushed keepalive packet to queue for global-faz. di<171> _build_keep_alive_usage_pkt()-718: Pushed keepalive packet to queue for global-faz.
Disable the debugging with the following command: diagnose debug disable
For further analysis, share the output of the following commands from both the FortiAnalyzer and FortiGate sides and share it with TAC:
execute tac report
Note: Ensure that FortiGate imports the CA certificate that signed the custom server certificate on FortiAnalyzer when FIPS-CC mode is enabled on FortiGate.
Related article: Troubleshooting Tip: FortiGate to FortiAnalyzer connectivity |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.