Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
Hatibi
Staff & Editor
Staff & Editor

Created on ‎09-13-2024 06:02 AM Edited on ‎06-18-2025 05:22 AM By Moderator

Article Id 341004

Troubleshooting Tip: FortiNAC Manager synchronization errors

Description This article describes some examples of issues that cause synchronization failures between FortiNAC managers and servers.
Scope FortiNAC-M, FortiNAC-F.
Solution

The FortiNAC Manager is used in large deployments in order to act a centralized node for managing Multiple FortiNAC servers.

Key features

 

In many cases, the Synchronization process with the managed FortiNAC appliances can fail due to misconfiguration, database issues, separate upgrades of FortiNAC servers, or DNS issues.

To troubleshoot these cases, enable the following commands in the FortiNAC Manager CLI:

 

diagnose tail -F output.master

 

After this, perform a manual synchronization to the problematic FortiNAC Server through the GUI.

Log messages printed out will provide information about the cause of the issue.

 

Example 1.  Sync failed to replace Role ID.


com.bsc.plugin.manager.GlobalObjectManager$SyncException: Sync failed to replace Role id = X yams SEVERE :: 2024-09-04 02:29:39:342 :: #665 :: at com.bsc.plugin.manager.GlobalObjectManager.replace(GlobalObjectManager.java:1880)
yams SEVERE :: 2024-09-04 02:29:39:342 :: #665 :: at com.bsc.plugin.manager.GlobalObjectManager.

syncPersistentObject(GlobalObjectManager.java:1572)

 

Solution: During a Maintenance window, perform the following actions (take a VM snapshot of both the Server and FortiNAC Manager in case a rollback is needed):

 

  1. Remove the Server from FortiNAC Manager.
  2. Remove the problematic entry based on ID or any other duplicate of it from the Server.
  3. Reboot the server.
  4. Reboot FortiNAC Manager.
  5. Add the server to FortiNAC Manager again and try to sync.

  

Example 2. Duplicate entry 'Policy_XYZ' for key 'UNIQUE_NAME'.

 

yams SEVERE :: 2024-09-04 02:29:39:333 :: #665 :: org.hibernate.engine.jdbc.spi.SqlExceptionHelper ERROR :: 2024-09-04 02:29:39:333 :: #665 :: (conn=24) Duplicate entry 'ISOLATE' for key 'UNIQUE_NAME'

yams SEVERE :: 2024-09-04 02:29:39:337 :: #665 :: org.hibernate.engine.jdbc.batch.internal.BatchingBatch ERROR :: 2024-09-04 02:29:39:337 :: #665 :: HHH000315: Exception executing batch [could not execute batch]

 

Solution: In a Maintenance window, perform the following actions (take a VM snapshot of both the Server and FortiNAC Manager in case a rollback is needed):

 

  1. Remove the Server from FortiNAC Manager.
  2. Remove the problematic entry based on ID or any other duplicate of it from the Server.
  3. Reboot the server.
  4. Reboot FortiNAC Manager.
  5. Add the server to FortiNAC Manager again and try to sync.

 

Example 3. No route to host (Host unreachable).

 

java.rmi.RemoteException: Error in REST RPC. target=JerseyWebTarget { https://192.168.0.20:8443/api/v2/rpc/method-call }; No route to host (Host unreachable)

 

Solution: This is a network issue or an external change in the hops between the Server and FortiNAC Manager. The routing and network configuration need to be fixed.

 

Example 4. Error in REST RPC / HTTPException.

 

NCM_sync_error.png

 

yams SEVERE :: 2024-02-13 14:47:12:688 :: #551 :: java.rmi.RemoteException: Error in REST RPC. target=JerseyWebTarget { https://192.168.0.20:8443/api/v2/rpc/method-call }; nested exception is: javax.xml.ws.http.HTTPException

.
yams SEVERE :: 2024-02-13 14:56:39:501 :: #141 :: java.net.UnknownHostException: fnacoffice.fortilab.local: Name or service not known

 

Or:

 

yams SEVERE :: 2025-05-10 05:31:45:120 :: #283 :: java.rmi.RemoteException: Error in REST RPC. target=JerseyWebTarget { https://lab-ca.lab.com:8443/api/v2/rpc/method-call }; nested exception is:
  javax.ws.rs.ProcessingException: java.net.UnknownHostException: lab-ca.lab.com

 

Solution: This is likely a DNS resolution issue. FortiNAC Manager and the CA servers cannot resolve the FQDN to an IP. The production DNS server configuration should be checked, and the necessary A records should be added if they are missing.

 

Example 5. 'Name HibernateServer not found'.

 

Hibernate error.png

Attempting to display globaloptions or enabling debugs in the FortiNAC CLI will show the following errors:

 

NCM_hibernate_err.png

Solution: Management processes have not yet started on the FortiNAC Manager. Either the services are down, or the manager is in a startup process. Check the output.master for error logs.

Make sure the license is valid, that FortiNAC can reach the internet, and that FortiNAC is configured with the minimum system resources as per page 14 of the data sheet: FortiNAC FortiNAC F Series Hardware, VM, and Endpoint Licenses.


Example 6.  'Failed to create new CA':


2025-06-05 12:21:59.659 +0200 [https-jsse-nio-0.0.0.0-8443-exec-2] ERROR NCMCoordinatorGRPCClient - [NCMCoordinatorGRPCClient]GRPC server is not reachable, exception io.grpc.StatusRuntimeException: UNKNOWN
2025-06-05 12:21:59.659 +0200 [https-jsse-nio-0.0.0.0-8443-exec-2] ERROR c.b.s.n.cluster.CAManagementService - Failed to create new CA
java.lang.RuntimeException: UNKNOWN

 

Solution: This is a network issue or an external change in the hops between the Server and FortiNAC Manager. The routing and network configuration need to be fixed.
Additionally, collect a PCAP from both nodes to verify the connectivity.


From FortiNAC-Manager CLI:

 

execute tcpdump -i any host <FortiNAC-CA - IP>

 

From FortiNAC-CA CLI:

 

execute tcpdump -i any host <FortiNAC-M - IP>

 

Other issues seen when adding Servers to FortiNAC Manager:

 

  1. The server appears as an 'Unknown' entry in the FortiNAC Manager dashboard.

 

Unknown.png

Solution:

 

  1. Remove the Server with the 'unknown' state from the Manager.
  2. Remove the old .licenseKeyNCM from the Server in the path /bsc/campusMgr.

 

In the CLI, enter:

 

rm /bsc/campusMgr/.licenseKeyNCM

 

  1. Import and apply the FortiNAC Server license file from the support Portal.
  2. Enter the correct globaloption to reflect the serial number of the Manager and Server as per the documents:
  1. Restart Services in the CLI for both Manager and Server:

 

restartNAC

 

  1. Add the Server to the FortiNAC manager and perform synchronization.

 

  1. Unable to add Server to Manager:

     

errors.PNG

 

Note:

After applying a new license to the manager, its serial number may change. As a result, the CAs can not communicate or can not be added back to the manager. To solve this issue, the serial number of the manager that was configured in each CA needs to be changed.

 

From the CLI of the CA, run the following commands:

 

execute enter-shell

globaloptiontool -name security.allowedserialnumbers
131 security.allowedserialnumbers: FNVX-MTM240----OLD

 

globaloptiontool -name security.allowedserialnumbers -setRaw "FNVX-MTM250----NEW"

Value set. Old value was: FNVX-MTM240----OLD

 

Logs in the output.master:

 

yams INFO :: 2023-11-02 17:24:56:192 :: #133 :: 192.168.0.7 incompatible CM version.

yams INFO :: 2023-11-02 17:24:56:192 :: #133 :: Incompatible NAC server version.

 

A possible cause of this error is provided in the following article: Troubleshooting Tip: Unable to add servers to the FortiNAC Manager.
909
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.