Description
This article describes possible troubleshooting if issues arise when adding a FortiGate to an existing Security Fabric.
Useful information about the Security Fabric can be found here and here.
Scope
FortiGate.
Solution
The Fortinet Security Fabric is a feature that provides visibility on connected Fortinet devices, especially FortiGates, in a single root FortiGate. Sometimes issues can arise when a FortiGate is added to an existing Security Fabric, impeding visibility and communication between the Fabric nodes.
Errors will mainly be displayed in the Security Fabric section in the FortiGate GUI. Error messages regarding FortiView and/or FortiAnalyzer usually indicate an issue on that FortiGate communicating with the Fabric FortiAnalyzer or some issues with logs, but not a connectivity issue between two FortiGates.
If an issue arises, the following troubleshooting can be done:
In CLI, collect this output:
diag debug reset
diag debug app csf -1
diag debug en
Observe what error messages show up in the CLI. A common error can be that CAs (Certificate Authorities) are missing. This can lead to errors like the following:
<2761> 02 __ssl_recv()-596: ssl error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
This indicates that one FortiGate does not trust the certificates used by the other FortiGate; to fix this, download the CAs on each FortiGate and import them to the other.
Also, restart the csf daemon after this has occurred.
To restart the csf daemon:
- Find the daemon process ID (PID):
diag sys process pidof csf ##in version 6.0 and higher
fnsysctl cat /var/run/csf.pid ## in version 5.6
- Kill the daemon (it will restart automatically)
diag sys kill 11 <process ID>
Restarting the csf daemon in general can resolve some issues as well.
General troubleshooting should also be done:
- Verify the affected FortiGates can reach each other (ping, https, ssh)
- Check the crashlog on each FortiGate for crashes with these processes: csf, miglogd
diag debug crashlog read
Check the release notes for the firmware versions of the devices for possible known issues regarding Security Fabric.
Note:
Make sure there is no compatibility issue by verifying that the FortiGates are in a similar firmware version if possible, and that any FortiAnalyzer (and FortiManager, if exist) are in a compatible firmware version. FortiAnalyzer/FortiManager has to be at least the same branch as the highest FortiGate.
Compatibility matrixes can be found here in the FortiManager or FortiAnalyzer section.
- It is also possible tocheck following debug commands in root Fortigate if it is not possible to authorize any device:
diag debug reset
diag debug cli 8
diag debug enable
diag sys csf authorization accept <serial number of device>
- If it gives duplicate error <duplicated action=find-dup>, check whether any existing fabric device has an index value of 0 or not under the trusted list. If any device has an index value of 0, then we can change it to a non-zero value to resolve the issue.
- Following is reference output:
conf sys csf
config trusted-list
show
edit "FG101E4Q17-----9" <----- Index value is 3.
set serial "FG101E4Q170----9"
set ha-members "FG101E4Q170----8"
set index 3
edit "FG6H1ETB219----0" <----- Index value is 0.
set serial "FG6H1ETB219----0"
set ha-members "FG6H1ETB219----0"
next
