Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
khoffman
Staff
Staff

Created on ‎05-20-2024 10:49 PM Edited on ‎08-20-2024 01:17 AM By Staff

Article Id 316125

Troubleshooting Tip: Troubleshooting FortiGate VPN integrations managed by FortiNAC.

Description

This article describes the steps to debug and troubleshoot IPSec and SSL VPN integrations with FortiNAC-F.

For configuration steps, refer to the VPN integration reference manual in the Fortinet Document Library for configuration details.

Order of Operations (Overview):

  1. The host establishes a VPN tunnel.
  2. The host is restricted (default Firewall Policy).
  3. FortiGate sends Syslog to FortiNAC indicating a new tunnel has been established.
  4. FortiNAC evaluates if the IP address is managed.
  5. Agent establishes communication with FortiNAC.
  6. FortiNAC sends tag/group information provision production access.
  7. The host disconnects from the VPN.
  8. FortiGate sends Syslog to FortiNAC indicating the tunnel has been torn down.
  9. FortiNAC removes tag/group information for the VPN host.

 
Order of Operations (Detailed Overview):

  1. Host connects to VPN.

During this step, the VPN tunnel is established between the end client and FortiGate. Typically, the FortiClient is used to establish the VPN tunnel.  

 

  • User authentication occurs during this step. 
  • FortiNAC is NOT required to be the RADIUS server for hosts connecting to VPN. 
  • The host receives DHCP & DNS and DNS Search Suffix addresses from firewall. 
  • One of the DNS servers must be FortiNAC VPN Interface for Agent to resolve FortiNAC server while restricted.

  1. Host is Restricted.

    • The host will be 'Restricted' after establishing the initial VPN connection. Restrictions are applied by a default firewall policy
    • Restrictions are applied to force the end client to communicate with the FortiNAC VPN Interface (Portal/Agent) and prevent the end user from accessing internal resources. 
    • DNS requests should be reaching the FortiNAC VPN interface for portal redirect and agent communication. 
    • Split tunnel VPN - Browser does not automatically redirect to the VPN portal. The end user must navigate to the VPN portal. 

     

  2. FortiGate sends Syslog to FortiNAC.

    • Syslog is used to inform FortiNAC that a VPN client has connected.  
    • Syslog will provide the username and IP address information of the connecting VPN client. 
    • The source IP of the syslog message must be from the IP address of the FortiGate model in inventory. 
    • NAC listens for only Log messages with ids of 0101039947 and 0101039948 (SSL), or 0101037129 and 0101037134 (IPSec) – All other Syslog filter ID’s should be disabled as this will cause performance problems.
    • 39947 - LOG_ID_EVENT_SSL_VPN_SESSION_TUNNEL_UP - SSL VPN tunnel up.
    • 39948 - LOG_ID_EVENT_SSL_VPN_SESSION_TUNNEL_DOWN - SSL VPN tunnel down.
    • 37129 - MESGID_NEG_PROGRESS_P2_NOTIF - Progress IPsec phase 2. 
    • 37134 - MESGID_DELETE_P1_SA - IPsec phase 1 SA deleted.

     

  3. Remote Object Created.

    • FortiNAC keeps a list of 'Managed' VPN IP addresses. These addresses define what should be considered a 'VPN client'.
    • This 'Object' is stored in the system's memory to track active VPN sessions.    
    • In FortiNAC Version 9.2.X and later VPN Managed addresses are defined in The Virtualized devices configuration of each VDOM.
    • One Syslog has been received for a VPN IP address that is 'Managed'. This results in the creation of a RemoteAccess Object. 

     

  4. Agent Communication.

    • Agent Communication is required in the VPN integration. The Agent is used to provide the MAC address of the connecting VPN user (IP to MAC). 
    • Persistent Agent or Dissolvable agent can be used. 
    • Dissolvable agents must be downloaded on each VPN connection. 
    • Scanning of the host is optional. 

     

  5. Firewall tag is sent to the firewall.  

    • FortiNAC sends a firewall tag to 'Unrestrict' the host and provision production network access.
    • Connector based (FSSO) can be used or Fabric Based (Dynamic addresses) can be used.  

     

  6. Host Disconnects from VPN

     

  7. FortiGate sends Syslog to FortiNAC.

    • This will result in the host being shown as offline in FortiNAC and the Firewall tag will be removed. 
Scope FortiNAC-F 7.2. 7.4.
Solution

Debug to be enabled on FortiNAC when debugging/troubleshooting FortiGate VPN integrations: 

Debug output prints to: /bsc/logs/output.master log.

 

diagnose debug plugin enable FortinetVPN <- FortiGate VPN specific.

diagnose debug plugin enable RemoteAccess <- VPN connection process.

diagnose debug plugin enable SyslogServer <- Syslog processing.

diagnose debug plugin enable SSOManager <- Firewall tagging FSSO/Dynamic Address.


Debug ouput prints to: /bsc/logs/output.nessus​.

 

diagnose debug plugin enable PersistentAgent <- Persistent Agent.

diagnose debug plugin enable AgentServer <- Dissolvable Agent.

 

  1. Review the affected VPN client’s entry in the database (ProbeObject) to determine what information is missing. From the CLI of the FortiNAC appliance use the RemoteAccess command with the active VPN client's IP address. 

    execute enter-shell
    RemoteAccess -remoteIP <client VPN IP>

    Example:

    RemoteAccess –remoteIP 172.16.196.10
    IP Address = 172.16.196.10
    MAC Address = 70:A6:CC:1E:28:3E
    Device Id = 2183
    Interface Id = 2262
    User Name = vpn-nac
    Session Id = -134086810
    Time Captured = Fri Apr 12 08:18:32 EST 2024
    InetAddress = null

    If no results are returned, the IP address is not considered managed, and the proper syslog information was either not received from FortiGate or not processed by FortiNAC. 

    Review and validate that the VPN Address Objects addresses are correctly set. 
    Troubleshooting Tip: Viewing managed VPN addresses from the CLI

    Validate syslog is being received and processed by FortiNAC (using tcpdump packet capture and debugging):
    Troubleshooting Tip: Troubleshooting syslog for FortiGate VPN integrations

  2. If results are returned, but the MAC address is not returned, troubleshoot agent communication.

    Troubleshooting Tip: MAC Address not detected over VPN

  3. If the both username, IP address, and MAC address are populated correctly. Validate the endpoint is now shown as online and connected to the VPN Interface in the host view. 'Right-click' on the host record and select Policy Details. Verify the expected VPN policy is matched. 

  4. If the expected policy is matched, but the FSSO tag or Dynamic Address Tag is not sent. Verify the correct tag values have been set in the VDOM Model configuration and the correct SSO address objects have been populated. 

VPNAddresses.png

 

  1. If the tag information has been set, proceed to troubleshoot FSSO (Legacy) or the Security Fabric Connection.


Related Articles: 
Troubleshooting Tip: Troubleshooting Fortinet SSO for FortiGate VPN
Technical Tip: Connector based FSSO vs Fabric Based with FortiNAC
Troubleshooting Tip: FortiNAC and FortiGate IPSec log example
Troubleshooting Tip: FortiNAC and FortiGate SSL-VPN log example

Contact support for further assistance. Open a ticket and include the following: 
  • FortiNAC full version (x.x.x.x).
  • FortiOS version.
  • FortiNAC Agent version.
  • Detailed description.
  • The VPN IP address and username of the client having issues.
  • Timeframe the issue occurred.
  • System logs.
633
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.