Description
This article describes which information to provide to Technical Support when opening a FortiAuthenticator support case for technical issues to expedite troubleshooting.
Scope
All versions of FortiAuthenticator.
Solution
When opening a FortiAuthenticator case for any kind of technical issue, TAC support will usually request some general debug information to start troubleshooting.
Providing the following information when opening a FortiAuthenticator support case can expedite troubleshooting significantly.
1. Configuration Backup.
A FortiAuthenticator backup can be taken from GUI or CLI.
However, this is not immediately useful to Technical Support.
To ensure Technical Support can restore the backup in a lab and view all configuration items, proceed as follows when generating a backup for a support case:
- Add a local admin user to the FortiAuthenticator with all access permissions.
- Note username and password (support/fortinet for example).
- Take the backup.
- Delete the local user from the FortiAuthenticator again.
When uploading the backup, include the username and password of the added local admin as a ticket comment.
2. Log Files and screenshots.
If any error messages are observed in log messages, or crashes encountered in GUI, download those logs (from Logs -> Log Access -> Raw Logs) or take screenshots and attach these as well. If possible, include detailed steps on how the error messages were triggered.
3. Debug report.
A complete debug report (which can be decrypted by Technical Support) can be downloaded from Logs -> Log Access, by selecting the 'Debug Report' button at the top.
The arrow next to it provides a drop-down menu that allows for downloading individual sections of the debug report.
These individual sections can be useful in instances where the error and its source are clearly defined and limited; in all other circumstances, the full debug report is preferable.
4. Files from the /debug URL.
FortiAuthenticator provides access to detailed debug logs at the URL https://<Fortiauthenticator>/debug.
If any error messages possibly related to the issue at hand are found here (there is a drop-down menu in the upper left to navigate through sections), then these logs can be downloaded and attached to the support case as well.
As of FortiAuthenticator OS 6.5, debugging is switched off or on an info level.
Before reproducing an issue, debugging needs to be enabled or a level raised where available. Not all debug sections have it.
For instance, Radius debug can be enabled by selecting 'Enter debug mode'.
It can be disabled by toggling the mode before then selecting 'Exit debug mode'.
https://<Fortiauthenticator>/debug/radius
GUI debug, set Log level: to debug
https://<Fortiauthenticator>/debug/gui
Once the issue has been reproduced, change the debug mode/level to the previous state.
5. Packet capture.
If the issue is suspected to involve FortiAuthenticator communicating with either authentication clients (like a FortiGate), or authentication servers (RADIUS, LDAP etc), a packet capture can help in determining if there are communication issues and, if so, what form they take.
FortiAuthenticator allows taking a capture in the GUI (under System -> Network -> Packet Capture), but this does not currently (as of March 2021) allow for any filtering, and so will often contain a lot of noise.
More narrow, filtered captures may be taken through the CLI with these commands:
execute tcpdump <-parameters> <filter>
As an example:
execute tcpdump –c100 –nnvvi any host 10.0.0.1 and port 389
This will dump the output in the CLI and decode it if the protocol is well known, such as RADIUS or LDAP.
execute tcpdumpfile <-parameters> <filter>
As an example:
execute tcpdumpfile –c100 –i any host 10.0.0.1 and port 389
This will write the output to a PCAP file which may be downloaded from https://<Fortiauthenticator>/debug/ by scrolling to the bottom of the drop-down menu (or debug/pcap-dump/).
Include any other details that may be useful in illustrating the issue, such as:
- A network diagram.
- Information from previous tickets (if there were any).
- Debug gathered from infrastructure surrounding the FortiAuthenticator (such as FortiGate VPN or authentication debug, or FSSO log files).
Related articles:
Technical Tip: How to run a packet capture with FortiAuthenticator.
