Description
This article provides steps to troubleshoot L2 or L3 Poll Failure events.
Scope
FortiNAC, FortiNAC-F.
Solution
- Is the device showing with a Red icon in the FortiNAC Topology view? If so, Contact Status Polling is failing (FortiNAC cannot ping the device).
- This is most likely a network-related issue.
- Make sure the device is up and running and 'Ping' is enabled on its management interface.
- If Contact Status Polling is successful, select the Credentials tab in Model Configuration and then the 'Validate Credentials' button.
CLI credentials are failing:
- Manually establish an SSH session towards the Switch from FortiNAC CLI and confirm the correct username/password.
- Make sure the account has appropriate permissions.
- Enable debugging and investigate CLI output related to SSH failures:
FortiNAC (CentOS):
logs
nacdebug -logger org.apache.sshd -level FINEST
nacdebug -name TelnetServer true
tf output.master
FortiNAC-F (NACOS):
diagnose debug plugin enable TelnetServer
diagnose debug logger set finest org.apache.sshd
diagnose tail -F output.master
After debugs are enabled select again 'Validate Credentials' from FortiNAC model configuration and investigate the output. Press ctrl+c to stop tail output when finished.
Disable debugging.
FortiNAC (CentOS):
logs
nacdebug -logger org.apache.sshd
nacdebug -name TelnetServer false
FortiNAC-F (NACOS):
diagnose debug plugin disable TelnetServer
diagnose debug logger unset org.apache.sshd
Credential Validation is successful but L2/L3 Polling is still failing.
- Make sure the Switches do not have banners that include '#' or '>' characters as FortiNAC might interpret them as delimiters. Test by disabling the banner completely.
- Enable debugging and investigate CLI output related to L2/L3 poll failures.
FortiNAC (CentOS):
logs
Device -ip X.X.X.X -setAttr -name DEBUG -value "ForwardingInterface TelnetServer" <----- Replace X.X.X.X with the Switch IP.
nacdebug -name BridgeManager true
tf output.master
FortiNAC (NACOS) v7.4 and greater:
diagnose network device set attribute DEBUG "ForwardingInterface TelnetServer" ip X.X.X.X <----- Replace X.X.X.X with the Switch IP.
diagnose debug plugin enable BridgeManager
diagnose tail -F output.master
After debugs are enabled select again 'L2 poll' or 'L3 poll' from the Switch polling tab in the FortiNAC model configuration and investigate the output.
Press ctrl+c to stop tail output when finished.
Disable debugging.
FortiNAC (CentOS):
logs
Device -ip X.X.X.X -delAttr -name DEBUG <----- Replace X.X.X.X with the Switch IP.
nacdebug -name BridgeManager false
FortiNAC (NACOS) v7.4 and greater:
diagnose network device delete attribute DEBUG ip X.X.X.X <----- Replace X.X.X.X with the switch IP.
diagnose debug plugin disable BridgeManager
When providing logs to Technical support include the following:
Related Articles:
Technical Tip: Troubleshooting CLI credential failure
Troubleshooting Tip: Troubleshoot FortiGate REST API access in a FortiNAC integration
Technical Note: Troubleshooting SNMP communication issues
Technical Note: Troubleshooting FortiGate API access
Technical Tip: Port in Topology View displays a green link light
Technical Note: L2 Poll Failures when devices have lost contact
Technical Tip: Concurrent License count is unusually high
