FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
RuiChang
Staff
Staff
Article Id 251811
Description

 

This article describes multiple scenarios of Kubernetes SDN Connector connection errors and solution suggestions.

 

Scope

 

FortiGate.

 

Solution

 

In the FortiGate Private SDN Connector, Kubernetes is one of the options available for integration. The configuration is simple and direct. However, connection errors will not display detailed information on GUI and are difficult for users to troubleshoot.

In that case, users can apply to debug command below for more information:

 

diagnose debug application kubed -1

diagnose debug enable

 

The article below will provide common error messages for Kubernetes connection.

 

1) Routing/connection error:

The debug below shows FortiGate is unable to reach the Kubernetes Cluster.

FortiGate is unable to resolve the URL and will present curl error: 28 due to timeout.

 

RuiChang_0-1681093286943.png

 

The error can be verified with a PING test and telnet. FortiGate should be able to PING the Kubernetes Cluster IP and telnet to the Kubernetes cluster port.

If the Kubernetes are behind NAT devices, ensure port forwarding is configured correctly to translate the IP for external device connection.

 

2) Token Error:

The token error will cause FortiGate fails to query the Kubernetes API. It will show the error as shown in the debug below:

 

RuiChang_0-1681093328562.png

 

The 'status': 'Failure' and “reason':'Unauthorized' indicated that FortiGate was unable to authorize itself to Kubernetes API. Verify the token in the FortiGate configuration again and ensure it is decoded with Base64.

 

3) TLS/SSL protocol error:

The debug below shows the FortiGate having an error trying to curl the Kubernetes API URL with error 92.

 

RuiChang_0-1681093359488.png

 

Curl error 92 indicates FortiGate is connected to Kubernetes but unable to maintain TLS/SSL connection to Kubernetes API. In that case, verify the token and check the Kubernetes Cluster Role binding is configured correctly. Ensure the timeout period of Kubernetes is increased and reboot Kubernetes if necessary.

 

If none of the scenarios are applicable, contact TAC engineers for further support.

Otherwise, troubleshoot on the Kubernetes and ensure the Kubernetes Cluster, services and pods are in healthy condition.

 

Related documents:

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/510916/collect-only-node-ip-addresse...

https://docs.fortinet.com/document/fortigate/6.2.0/new-features/673021/kubernetes-k8s