NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Article Id 197311
In certain cases,  the Persistent Agent is not seen as connected on the FortiNAC and the Agent does not do anything on the computer.

This article describes how to fix this issue.

There are different approaches to fix this kind of problem.

heck the general connectivity to the client.

- Is the client responding to ICMP echo requests (ping)?
- Is that possible to telnet to the clients IP on port 4568?
- Is any traffic seen between the Agent and FortiNAC?

The connection and tests have to be executed from the FortiNAC CLI directly.
In this example the client IP is

- Ping
- Telnet 4568.
- Tcpdump ‘port 4568 and host’.

One common problem is that the firewall on the client is blocking the communication to the system.

Also the client will contact an incorrect address.

This can be verified in a packet capture on the client (for example Wireshark) and also with the registry path:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Bradford Networks\Persistent Agent
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Bradford Networks\Persistent Agent

The 'homeServer' string holds the correct FQDN that is resolvable to the FortiNAC IP or it holds the IP of the FortiNAC directly.

If the connectivity is achieved, check on the client whether the logs indicate issues.

The persistent Agent logs are located in C:\ProgramData\Bradford Networks\ and the general.txt file will give more information about what is happening.

- Restart the Persistent Agent or the workstation completely and check what the logs are reporting.

One common problem is the SSL connection between Agent and FortiNAC.

This is visible in the logs for example:
2020-01-10 17:37:11 UTC :: SecureAgentTransportV1 constructor finished
adding KeyExpiredListener
2020-01-10 17:37:11 UTC :: Server: fortinac.forti.lab, tcp: 4568, udp: 4567
2020-01-10 17:37:11 UTC :: Host = fortinac.forti.lab
2020-01-10 17:37:11 UTC :: SSL_get_verify_result = 0
2020-01-10 17:37:11 UTC :: SSL Certificate verification result: ok
        Version: 3 (0x2)
        Serial Number:
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC=lab, DC=forti, CN=fortilab
            X509v3 CRL Distribution Points:

                Full Name:

            Authority Information Access:
                CA Issuers - URI:ldap:///CN=fortilab,DC=forti,DC=lab?cACertificate?base?objectClass=certificationAuthority

            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
    Signature Algorithm: sha256WithRSAEncryption


2020-01-10 17:37:11 UTC :: peer CommonName = NAC-NEW
2020-01-10 17:37:11 UTC :: SAN: nac.forti.lab
2020-01-10 17:37:11 UTC :: Checking Peer name fortinac.forti.local against Common or Subject-alternative-name entry NAC-lab
2020-01-10 17:37:11 UTC :: Peer name "fortinac.forti.lab" doesn't match  "NAC-lab"
2020-01-10 17:37:11 UTC :: Checking Peer name fortinac.forti.local against Common or Subject-alternative-name entry nac.forti.lab
2020-01-10 17:37:11 UTC :: Peer name "fortinac.forti.lab" doesn't match  "nac.forti.lab"
2020-01-10 17:37:11 UTC :: Refusing to connect to trust_DISTRUSTED fortinac.forti.local|NAC-lab
2020-01-10 17:37:11 UTC :: Connection failed! 1
This issue is found when the Client does not trust the certificate that has been used to sign the 'Portal SSL' certificate configured on the FortiNAC GUI settings.

To fix this either, change the certificate to a certificate that is already trusted by the client or export the signing certificate (also known as issuing certificate) and import it on the client into the trusted root certificate authority store.

Related link to the agent discovery process:

The following administration guide excerpt shows more information about the SSL portal settings where the certificates for encrypted communication are set:

Related Articles

Technical Note: Troubleshooting the Persistent Agent