|
To troubleshoot the issue of onboarding a FortiGate device to FortiManager via an IPsec tunnel, follow these steps:
- Confirm that the FortiGate device can telnet to the FortiManager IP with port 541.
- Check the FortiManager debug logs for any error messages, such as a certificate mismatch error.
- Verify that the FortiGate device is deployed in HA Active Passive mode.
- Check the device certificates and ensure that the primary device's certificate does not show the serial number of the secondary device.
- If the issue persists, try regenerating the default certificates on the primary FortiGate device using the following commands:
execute vpn certificate local generate default-gui-mgmt-cert
execute vpn certificate local generate default-ssl-ca
-
If the issue persists, try killing the fgfmd process on the FortiGate device using the following command:
fnsysctl killall fgfmd
Or:
diagnose sys process pidof fgfmd
There can be several PIDs in the output.
The following step must be repeated for every PID:
diagnose sys kill 11 <pid>
-
Verify that the process is killed by running the command:
diagnose debug crashlog read
-
If the issue persists, try rebooting the FortiGate device.
Note: Make sure the FortiManager IP is reachable through the IPsec tunnel, which can be checked with the following routing command
FGT # get router info routing-table details x.x.x.x <----- Where x.x.x.x is the FortiManager IP.
The following is the correct configuration for sending the central management traffic through an IPsec tunnel.
FGT # config system central-management
FGT (central-management) # set interface-select-method specify
FGT (central-management) # set interface <tunnel interface>
FGT (central-management) # end
|
