Description
This article describes how to troubleshoot VPN connections when integrated with FortiGate.
Order of Operations: (Summary):
1) Host connects to VPN.
2) Host is restricted (Default FortiGate Policy).
3) Syslog is sent to FortiNAC.
4) Agent communicates with FortiNAC.
5) FortiNAC sends tag/group information to unrestricted host.
Order of Operations: (Detailed Version).
1) The remote user authenticates using either IPSec or SSL VPN client processes.
2) If authentication is successful, the FortiGate establishes a session and sends a syslog message to FortiNAC containing user, IP, and other session information.
3) FortiGate firewall rules exist to restrict all network access from the VPN interface and remote IP address range configured for VPN connections. The rules only allow access to FortiNAC isolation interface. DNS rules exist on the FortiNAC to resolve all queries to its isolation interface.
4) While restricted, all user HTTP requests are redirected to a VPN captive portal on FortiNAC. The portal page indicates that the user is currently restricted and, based upon administrator policy, can allow users to download and run an FortiNAC agent.
5) Once an FortiNAC agent executes and successfully communicates with the FortiGate, FortiNAC correlates information from the agent with data from the FortiGate to determine the host and adapter being used for the connection. It then updates the connection status of the host/adapter and triggers policy lookup and FSSO updates.
6) If the host/adapter is compliant with all necessary policies, FortiNAC tag/group information is sent to the FortiGate using FSSO which affects which FortiGate firewall rules control the session.
7) On disconnect, the FortiGate sends syslog to notify FortiNAC of session termination.
8) The host connection is terminated in FortiNAC which triggers FSSO to update the FortiGate to remove any tag/group information.
9) Default VPN firewall rules once again become effective.
Scope
Version: 8.x and greater
Solution
1) Review the affected VPN client’s entry in the database (ProbeObject) to determine what information is missing. Login to the appliance CLI as root and type
RemoteAccess -remoteIP <client VPN IP>
Example:
RemoteAccess –remoteIP 172.16.196.10
If no results are returned, the proper syslog information was either not received or not processed. See KB article 219825 for troubleshooting steps.
2) If results are returned, ensure User Name and MAC address values are populated.
3) Proceed as appropriate:
User Name is missing: The proper syslog information was either not received or not processed. See KB article 219825 for troubleshooting steps.
MAC Address is missing: Agent information is either not received or not processed. See KB article 244783 for troubleshooting steps.
Record looks correct but client is not getting proper network access:
a) Confirm whether or not SSO tags have been sent to the FortiGate. In appliance CLI type
ssotool -ip <FortiGate IP>
The following information should be returned:
SSO sessions on device <FortiGate IP>:
Name: User name
IP: Remote IP address
Target: FortiGate IP
SubTarget: root
Tags: Tag sent by FortiNAC
Type: FORTINET
Connected: x
SSO messages in FNAC
Name: User name
IP: Remote IP address
Target: FortiGate IP
SubTarget: FortiGate IP
Tags: Tag sent by FortiNAC
Type: FORTINET_FSSO
Connected: x
b) If either the wrong tags or no tags were sent, see KB article 219917.
Contact Support for further assistance. Open a support ticket and provide the following:
- Software version (x.x.x.x).
- FortiGate version.
- Detailed description of behavior.
- Troubleshooting steps taken.
- IP address and username of test client.
- Timeframe behavior was reproduced.
- System logs (For instructions see KB article 190755).
