Troubleshooting Tip: Communication between servers stops after upgrading

This article describes how to fix the following behaviors after upgrading:

- FortiNAC Manager stops communicating with the managed servers.

- Primary Server stops communicating with Secondary Server in High Availability pair.

A solution is offered.

Enhancements were made to the communication method between FortiNAC servers for security.

Due to this change, environments with FortiNAC servers communicating with each other must have additional configurations in place.

All appliances must have the following:

- Key files containing certificates.

- The attribute security.allowedserialnumbers configured with the appropriate serial number list.

- Manager(s): All serial numbers in the environment.

- Managed servers: Serial number(s) of the Manager(s)*.

- Primary Servers: Serial number(s) of the Manager(s), the Primary and Secondary Server*.

- Secondary Servers: Configuration will be replicated from the Primary Server.

*Minimum requirements. The list can contain all serial numbers in the environment for simplicity of configuration.    

Requirements and pre-upgrade procedures can be found in the corresponding related documents:

v9.2.8:
https://docs.fortinet.com/document/fortinac/9.2.8/release-notes/95095/new-features-in-9-2-8

v9.1.10:
https://docs.fortinet.com/document/fortinac/9.1.10/release-notes/462435/new-features-in-9-1-10

v9.4.3:

https://docs.fortinet.com/document/fortinac/9.4.3/release-notes/777532/new-features-in-9-4-3

v7.2.2:

https://docs.fortinet.com/document/fortinac-f/7.2.2/release-notes/35540/whats-new-in-7-2-2

If the above requirements are not met:

- The manager will be unable to communicate with the appliances.  Selecting the Synchronize button in the manager's Server List may display an error stating 'Hibernate Server not found'.

- Primary and Secondary servers will not communicate.

- Secondary Server UI is not accessible after enabling. 

To fix the issue:

1) Check the allowed serial numbers list on the affected servers.

CentOS appliances:  Log in to the CLI as root and type:

globaloptiontool -name security.allowedserialnumbers

FortiNAC-OS appliances:  Log in to the CLI as admin and type:

execute enter-shell

globaloptiontool -name security.allowedserialnumbers

Example:

globaloptiontool -name security.allowedserialnumbers
122 security.allowedserialnumbers: FNVM-Mxxxxxxx1,FNVM-Mxxxxxxx2,FNVM-CAxxxxx4

If the list is missing or incomplete, configure the appliance with a complete serial number list.

Example:

globaloptiontool -name security.allowedserialnumbers -setRaw "FNVM-Mxxxxxxx1,FNVM-Mxxxxxxx2,FNVM-CAxxxxx4,FNVM-CAxxxxx5,FNVM-CAxxxxx6"

FortiNAC Server Example:

globaloptiontool -name security.allowedserialnumbers -setRaw "FNVM-Mxxxxxxx1,FNVM-Mxxxxxxx2"

2) Check for certificates on the affected servers (applies to FortiNAC CentOS appliances only).

Administration UI Method:

The System Summary Dashboard widget should show 'Certificates = Yes'.

CLI method:
Virtual appliance: Log in to the CLI as root and type:

licensetool

Physical appliance: Log in to the CLI as root and type:

licensetool -key FILE -file /bsc/campusMgr/.licenseKeyHW

The response from the above commands should show:

"certificates =[xxxxxxxxxxxxxxxxxxx,xxxxxxxxxxxxxxxxxxx]".

If 'certificates = []' or there is not a 'certificates' entry listed at all, keys with certificates must be installed.

See Importing License Key Certificates.