Technical Tip: Troubleshooting Poll failures

FortiKoala · ‎09-28-2018

Description

This article describes steps to troubleshoot L2 or L3 Poll Failure events.

Scope

FortiNAC, FortiNAC-F.

Solution

Is the device showing with a Red icon in the FortiNAC Topology view? If so, Contact Status Polling is failing (FortiNAC cannot ping the device).

This is most likely a network-related issue.
Make sure the device is up and running and 'Ping' is enabled on its management interface.

If Contact Status Polling is successful, select the Credentials tab in Model Configuration and then the 'Validate Credentials' button.

CLI credentials are failing:

Manually establish an SSH session towards the Switch from FortiNAC CLI and confirm the correct username/password.
Make sure the account has appropriate permissions.
Enable debugging and investigate CLI output related to SSH failures:

FortiNAC (CentOS):

logs

nacdebug -logger org.apache.sshd -level FINEST

nacdebug -name TelnetServer true

tf output.master

FortiNAC-F (NACOS):

diagnose debug plugin enable TelnetServer

diagnose debug logger set finest org.apache.sshd

diagnose tail -F output.master

After debugs are enabled select again 'Validate Credentials' from FortiNAC model configuration and investigate the output. Press ctrl+c to stop tail output when finished.

Disable debugging.

FortiNAC (CentOS):

logs

nacdebug -logger org.apache.sshd

nacdebug -name TelnetServer false

FortiNAC-F (NACOS):

diagnose debug plugin disable TelnetServer

diagnose debug logger unset org.apache.sshd

Credential Validation is successful but L2/L3 Polling is still failing.

Make sure the Switches do not have banners that include '#' or '>' characters as FortiNAC might interpret them as delimiters. Test by disabling the banner completely.
Enable debugging and investigate CLI output related to L2/L3 poll failures.

FortiNAC (CentOS):

logs

Device -ip X.X.X.X -setAttr -name DEBUG -value "ForwardingInterface TelnetServer" <----- Replace X.X.X.X with the Switch IP.

nacdebug -name BridgeManager true

tf output.master

FortiNAC (NACOS) v7.4 and greater:

diagnose network device set attribute DEBUG "ForwardingInterface TelnetServer" ip X.X.X.X <----- Replace X.X.X.X with the Switch IP.

diagnose debug plugin enable BridgeManager

diagnose tail -F output.master

After debugs are enabled select again 'L2 poll' or 'L3 poll' from the Switch polling tab in the FortiNAC model configuration and investigate the output.

Press ctrl+c to stop tail output when finished.

Disable debugging.

FortiNAC (CentOS):

logs

Device -ip X.X.X.X -delAttr -name DEBUG <----- Replace X.X.X.X with the Switch IP.

nacdebug -name BridgeManager false

FortiNAC (NACOS) v7.4 and greater:

diagnose network device delete attribute DEBUG ip X.X.X.X <----- Replace X.X.X.X with the switch IP.

diagnose debug plugin disable BridgeManager

When providing logs to Technical support include the following: