Description
This article provides information on how to prevent the 'Probe failed' error which sometimes appears while adding a FortiGate to FortiManager.
Scope
FortiGate, FortiManager.
Solution
The generic 'Probe Failed' message may appear for multiple different reasons or during different occasions, including the following:
- The FortiGate to be added is already present on FortiManager as unregistered.
- The admin credentials used to add the unit are incorrect.
- The 'fgfm-access' is not enabled on 'mgmt' interface.
- Connectivity problems are preventing the FortiManager from reaching the FortiGate.
- FortiManager cannot validate FortiGate's SN
- The FortiOS version on the FortiGate is not supported by the FortiManager
Check the following to prevent the error from occurring:
- The FortiGate has to be registered in the support portal.
- Enable the 'fgfm-access' on connecting interface and has to be disabled from other unused interfaces.
- The FortiManager IP has to be correctly mentioned.
- Set the 'enc-algorithm' from default to high on the FortiGate.
An SSL connection can be configured between the two units and an encryption level can be selected.
Use the following CLI commands to configure the connection:
config system central-management
set enc-algorithm {default | high | low}
end
The default encryption automatically sets high and medium encryption algorithms.
The algorithms used for high, medium, and low follow open SSL definitions:
- High: key lengths larger than 128 bits, and some cipher suites with 128-bit keys.
- Medium: key strengths of 128 bit encryption.
- Low: key strengths of 64 or 56 bit encryption algorithms, excluding export cipher suites.
Additionally, it is recommended to check the following debug logs on the FortiManager side:
diagnose debug reset
diagnose debug disable
diagnose debug application depmanager 0
diagnose debug application depmanager 255
diagnose debug enable
Next, check if adding the FortiGate to FortiManager is possible and authorize the unit on FortiManager.
If the issue still persists, restart the 'fgfm process' to test.
exe fgfm reclaim-dev-tunnel <device_name> <force>
devicename <- Optional device name.>
If not, reboot the FortiGate and recheck. If the issue persists afterward, perform a flash format on FortiGate and load the firmware to test it.
In cases with a FortiGate VM in Public Clouds with a Pay per Use (or Pay to Go) license, it is necessary to check the Common Name field of the Fortigate_Factory certificate. Usually, the Common Name field of the Fortigate_Factory certificate shows FortiGate's serial number, but this does not happen for a FortiGate VM in Public Clouds.
To check the Common Name field, use the following commands:
FortiGate-VM64-AWS# conf vpn certificate local
FortiGate-VM64-AWS (local)# get Fortinet_Factory
name : Fortinet_Factory
password : *
private-key : *
certificate :
Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FortiGate, emailAddress = support@fortinet.com
Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = fortinet-subca2001, emailAddress = support@fortinet.com
Valid from: 2016-11-30 19:58:17 GMT
Valid to: 2056-11-20 19:58:17 GMT
To solve this scenario, it is necessary to align the certificate name with FortiGate's FortiCare license with the following command:
execute vm-license
Notice that this operation will reboot FortiGate and it valid only in AWS/Azure/GCP instance and FortiGate has to reach FortiGuard servers.
If case of HA scenario, is needed to execute command on both devices.
Related articles:
