Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff

Created on ‎08-04-2022 10:00 AM Edited on ‎06-27-2025 04:02 AM By Moderator

Article Id 219825

Troubleshooting Tip: Troubleshooting syslog for FortiGate VPN integrations

Description

This article describes the steps to use to verify the appliance is receiving and processing syslog in FortiGate VPN integrations.

 

For integration details, see FortiGate VPN Integration reference manual in the Document Library.
Scope Version: 8.x and greater.
Solution
  1. Review FortiGate configuration to verify Syslog messages are configured properly.

  2. Using tcpdump, confirm syslog messages are reaching the appliance when client connects. In the appliance CLI, run the following command:


tcpdump -nni eth0 host <FortiGate IP modeled in Inventory> and port 514

 

(Press Ctrl-C to stop it.)

 

If syslog messages are not being received:

 

  • Confirm source-ip is configured correctly on the FortiGate.  See KB article 193368.
  • Confirm UDP 514 is not being blocked in the network.

 

  1. If syslog is reaching the appliance, enable debugs (written to /bsc/logs/output.master):

 

nacdebug -name FortinetVPN true
nacdebug -name SyslogServer true
tf /bsc/logs/output.master | grep -i "UserName"

 

  1. Have the client connect.

 

  1. Review output.master for syslog messaging that provides User ID, assigned endstation VPN IP address, and session information.


Example of syslog output for a VPN login:

  • User ID (user): test
  • VPN IP (tunnelip): 172.16.196.10
  • Session information: subtype='vpn', action='tunnel-up'

 

yams.SyslogServer FINER :: 2021-11-10 15:53:31:067 :: SyslogServer received: 10.12.240.5 <190>date=2021-11-10 time=16:53:30 devname="FGT-Core" devid="FG81EPTK18005296" eventtime=1636577610467479916 tz="-0500" logid="0101039947" type="event" subtype="vpn" level="information" vd="root" logdesc="SSL VPN tunnel up" action="tunnel-up" tunneltype="ssl-tunnel" tunnelid=733830834 remip=10.12.102.18 tunnelip=172.16.196.10 user="test" group="Radius Servers" dst_host="N/A" reason="tunnel established" msg="SSL tunnel established"

 

Key information in other syslog messages received:

 

subtype=”vpn”
action =”tunnel-up”
action ="tunnel-down"
action =”delete_phase1_sa"
action ="negotiate"


Note: Syslog messages with actions other than the above are dropped with message 'FortinetVpnPlugin.VPNSyslogListener failed to parse'.

 

  1. Review output.master for messaging that indicates syslog information was processed.

 

Example of FortinetVPNdebug successful output:

 

yams INFO :: 2021-11-10 15:53:31:080 :: parseStr parsed FG81EPTK18005296 <-- FortiGate ID
yams INFO :: 2021-11-10 15:53:31:080 :: parseStr parsed 0101039947 <----- logID.
yams INFO :: 2021-11-10 15:53:31:080 :: parseStr parsed root <----- VDOM.
yams INFO :: 2021-11-10 15:53:31:080 :: parseStr parsed ssl-tunnel
yams INFO :: 2021-11-10 15:53:31:080 :: parseStr parsed 7
yams INFO :: 2021-11-10 15:53:31:080 :: parseStr parsed 10.12.102.18
yams INFO :: 2021-11-10 15:53:31:080 :: parseStr parsed 172.16.196.10 <----- endstation VPN IP.
yams INFO :: 2021-11-10 15:53:31:080 :: parseStr parsed test <----- User ID.

 

  1. Once troubleshooting is complete, disable debugging:

 

nacdebug –name FortinetVPN false
nacdebug –name SyslogServer false

 

Related articles: 

 

Contact Support for further assistance. Open a support ticket and provide the following:
3052
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.