Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
khoffman
Staff
Staff

Created on ‎04-26-2024 11:09 AM Edited on ‎02-20-2025 01:39 AM By Moderator

Article Id 311745

Troubleshooting Tip: Agent is not communicating and agent logs show 'CONN_DENY'

Description This article describes how to understand the reason for seeing 'CONN_DENY' in agent logs.
Scope FortiNAC Persistent Agent: v5.x, v9.x & v10.x.
Solution
  1. With an endpoint with the FortiNAC Persistent Agent services running and connected to the network, collect the agent logs. 

 

  1. Review the agent logs in Notepad and look for the following after the certificate exchange is completed:

 

2024-04-16 15:03:58 UTC :: Peer name "nacnac.corp.fortinet.com" matches "nacnac.corp.fortinet.com"
2024-04-16 15:03:58 UTC :: check_cert_chain error is 3
2024-04-16 15:03:58 UTC :: SslStreamTransport::sslSendThread calling take()
2024-04-16 15:03:59 UTC :: Sent Conn-Request
2024-04-16 15:03:59 UTC :: Expanded SslStreamTransport recvBuf to 64 bytes
2024-04-16 15:03:59 UTC :: Expanded SslStreamTransport recvBuf to 128 bytes
2024-04-16 15:03:59 UTC :: constructFromBufer verb = Conn-Deny
2024-04-16 15:03:59 UTC :: handleReceivedPacket() -- received this packet:
Conn-Deny
END of packet
2024-04-16 15:03:59 UTC :: Sending ACK for 7976428
2024-04-16 15:03:59 UTC :: Received CONN_DENY
2024-04-16 15:03:59 UTC :: after connFinished wait done

 

This indicates the agent has successfully connected to a FortiNAC server and completed the certificate exchange. However, the server is refusing the connection. The server is denying the connection due to 'Require Connected Adapter' being enabled on the server and due to that server not seeing the physical adapter as online and connected to a network device managed by that server. If multiple servers are configured, this may be expected as the host is attempting to connect to a server in which the endpoint is not connecting to a managed network device at that location. 

Require Connected Adapter: If enabled, the server will require one of the adapters reported by the agent to be connected to a device managed by FortiNAC to communicate. This eliminates the need to use ACLs.

 

  1. Determine why the endpoint is not seen as online and connected. Navigate to the network device being managed by FortiNAC and locate the port to which the endpoint is connected. If the host is not shown as online and connected, continue to troubleshoot poll failures

  2. The other reason for seeing the 'CONN_DENY' error in Persistent Agent logs is the Invalid MAC address. If the host MAC address is not listed in the FortiNAC database as a known OUI, FortiNAC blocks Persistent Agent commutation and Persistent Agent logs display 'CONN_DENY' logs. Most of this issue occurs when MAC Randomization is enabled on MacOS


Related article:
Technical Tip: 'Invalid Physical Address' error in event logs preventing host registration 
1001
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.