FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff
Article Id 242282

 

Description

This article describes how to troubleshoot the behavior where link state SNMP traps are not received by FortiNAC when a host connects to a managed FortiSwitch.

 

Symptoms:

- Host record does not appear online after connection.

- Link State trap events are not listed in FortiNAC.

- tcpdump from appliance CLI indicates traps are not received.

- Online status is updated after L2 poll of the FortiSwitch.

Scope FortiNAC version: 8.x and upper.
Solution

1) Verify the FortiSwitch is sending traps via the FortiSwitch CLI:


# diag sniffer packet any “udp and port 162"

 

The output should show the FortiSwitch sending traps to the FortiNAC IP address:


9.298683 <FortiSwitch IP address>.162 -> <FortiNAC IP address>.162: udp 184

 

2) If the FortiSwitch is sending traps, verify if the FortiNAC received the traps using tcpdump from the FortiNAC CLI.

 

FortiLink Mode:


tcpdump -nni any port 162 and host <FortiGate IP address>

 

Standalone:


tcpdump -nni any port 162 and host <FortiSwitch management IP address>


Example output from the FortiSwitch in FortiLink mode:

Source IP is the FortiGate (10.12.240.2).
- Switch serial number (XXXXXXXXXXXXXX).
- Switch internal IP address (169.254.2.2).
- Port number (port5).
- Link state (linkup).

 

13:02:16.847645 IP 10.12.240.2.673 > 10.12.240.7.162: C="fortinet" Trap(167) .1.3.6.1.4.1.12356.106 169.254.2.2 linkUp 502198510 .1.3.6.1.2.1.2.2.1.2.5="port5" .1.3.6.1.2.1.2.2.1.1.5=5 .1.3.6.1.2.1.2.2.1.7.5=1 .1.3.6.1.2.1.2.2.1.8.5=1 .1.3.6.1.4.1.12356.106.1.1.1.0="XXXXXXXXXXXXXX" .1.3.6.1.2.1.1.5.0="XXXXXXXXXXXXXX"

 

3) If FortiNAC is not receiving the traps, verify the policy configuration in the FortiGate. In the FortiGate GUI, navigate to Policy & Objects -> IPv4 Policy.

 

4) If the FortiNAC is receiving the traps, verify the system is processing them using the debug tools in FortiNAC CLI for SNMP activity:

 

nacdebug –name SnmpV1 true

 

Example output:
- Source IP is the FortiGate (10.12.240.2).
- Switch serial number (XXXXXXXXXXXXXX).
- Switch internal IP address (169.254.2.2).
- Port number (5).
- Link state (linkup = 0.3).

org.snmp4j.transport.DefaultUdpTransportMapping FINE :: 2019-09-30 13:02:16:847 :: Received message from /10.12.240.2/673 with length 186:

<...>

pdu=V1TRAP[reqestID=0,timestamp=58 days, 2:59:45.10,enterprise=1.3.6.1.4.1.12356.106,genericTrap=3,specificTrap=0, VBS[1.3.6.1.2.1.2.2.1.2.5 = port5; 1.3.6.1.2.1.2.2.1.1.5 = 5; 1.3.6.1.2.1.2.2.1.7.5 = 1; 1.3.6.1.2.1.2.2.1.8.5 = 1; 1.3.6.1.4.1.12356.106.1.1.1.0 = XXXXXXXXXXXXXX; 1.3.6.1.2.1.1.5.0 = XXXXXXXXXXXXXX ]], messageProcessingModel=0, securityName=fortinet, processed=false, peerAddress=10.12.240.2/673, transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping@54f74762, tmStateReference=null]
yams.SnmpV1 FINER :: 2019-09-30 13:02:16:848 :: receiveTrap() ip = 169.254.2.2 version = 1 securityName = fortinet
YamsEvent:
Landscape = -1 FF:FF:FF:FF:FF:FF
ID = -1
State = Active
Name = 0.3
element type = Unknown
element ID = -1
element name = null
Date = 09/30/2019 13:02:16.848
Message = null
Number of Mib Elements = 9
NameValue:
Name = Trap Def
Value = 0.3
NameValue:
<...>
NameValue:
Name = AgentID
Value = 169.254.2.2

 

yams.SnmpV1 FINER :: 2019-09-30 13:02:16:848 :: receiveTrap() name = 0.3 ip = 169.254.2.2 dbid = 519 possibleEventTypes = 0.3


5) Once the trap is processed, the FortiNAC executes an L2 poll in order to read the address table and update the database:

 

yams.BridgeManager INFO :: 2019-09-30 13:02:27:689 ::
********** sup-fgt-hw 10.12.240.2 PollThread-poll0 172 **********
readForwardingDatabase 0.833 Seconds
old client count = 0

lost client count = 0

new client count = 0
Done update Clients 0.836 Seconds

Link Up interface count = 1
-3235441

Add Back to Queue = true
Link Up Retry Count = 1
Queue Size = 1
********************************************


6) If SNMP packets are processing and L2 poll initiates but fails, see related article:

Troubleshooting Poll Failures

 

Contributors