|
A 'Fabric device (SN=FGVM2VTM1******) does not have the right permissions' log message appears in the EMS server logs despite the connectivity between FortiGate and the EMS connector being up.
Downstream FortiGates in the Security Fabric incorrectly identifies itself as the root device to the FortiClient EMS server by sending a rest API call 'api/v1/fabric_device_auth/fortigate'.
The following errors are seen in the fcnacd debugs:
diagnose debug application fcnacd -1
diagnose endpoint filter show-large-data yes
diagnose debug enable
.
{"fortigates":{"FGVM2VTM1******)":{"authenticate":"accept","is_root":true}}} <--------------------------------------------- decalaring itself as root.
.
2024-07-05 10:45:13 [ec_ez_worker_process:368] Processing call for obj-id: 3, entry: "api/v1/fabric_device_auth/fortigate"
2024-07-05 10:45:13 [ec_ez_worker_process:387] reply:
"""
{"result": {"retval": -4, "message": "Fabric device (SN=FGVM2VTM1******)":{") does not have the right permissions."}}
This issue has been resolved in v7.2.11, v7.4.8, and v7.6.1. General debug information required by FortiGate TAC for investigation:
diagnose debug console timestamp enable
diagnose debug application fcnacd -1
diagnose endpoint filter show-large-data yes
diagnose debug enable
Reproduce the issue, then run the following:
diagnose debug reset
get system csf
execute tac report
- Configuration file of the FortiGate.
- To stop the debug processes in the end, press 'Ctrl+C' and enter 'diagnose debug disable'.
|
