Description

This article describes the cause and potential resolution for the error message: '[ha_auth_af_msg_sendto:74]: can not create admin socket, errno = 1' (Operation not permitted) that may appear during debugging on FortiGate High Availability (HA) clusters.

Scope

FortiGate.

Solution

Whenever running the debug command on FortiGate, below error can be seen.

Let's say, to capture IKE daemon debug logs, the following commands are used:

diagnose vpn ike log filter rem-addr4 x.x.x.x   --> Where x.x.x.x is the Source Public IP.
diagnose debug application ike -1
diagnose debug console timestamp enable
diagnose debug enable

ike V=root:0:RemoteAccessVPN_0:436666:RemoteAccessVPN:415882: added IPsec SA: SPIs=528a5b34/61f85db8
ike V=root:0:RemoteAccessVPN_0: HA send IKE connection add 182.76.80.98->157.49.0.178
ike V=root:0:RemoteAccessVPN_0:436666: HA send IKE SA add d0d708e3f06c619a/4402ddc24be364d2
ike V=root:0:RemoteAccessVPN_0: HA send IKEv2 message ID update send/recv=0/6
ike V=root:0:RemoteAccessVPN_0:436666:RemoteAccessVPN:415882: sending SNMP tunnel UP trap
ike V=root:0:RemoteAccessVPN_0: tunnel up event assigned address 10.81.233.50
ike V=root:0:RemoteAccessVPN_0: sent tunnel-up message to EMS: (fct-uid=28D64B68013F4238AC497A59FF972AD4, intf=RemoteAccessVPN_0, addr=10.81.233.50, vdom=root)
ike V=root:0:RemoteAccessVPN_0: user '28D64B68013F4238AC497A59FF972AD4' 10.81.233.50 groups 1
[ha_auth_af_msg_sendto:74]: can not create admin socket, errno = 1 (Operation not permitted)
ike 0:RemoteAccessVPN_0:436666: enc 2700000C01000000B64C50622F000028020000007771E76F6E074132D894EC6C60559C002C263E19380E5DE00BBD0FAE2534D28D2100009002000000000100

The error message is triggered in iked daemon when trying to open an admin socket.

The issue has been reported with a known issue ID 1112525 and is fixed in v7.6.3.