Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JaapHoetmer
New Contributor III

FG not sending logs to FAZ

Hi there

I have several FGs already sending logs to a FAZ, over ipsec connections, but I am having issues adding a new FW.

The logging is configured using the correct source-ip address, I have successfully checked sending pings from the FG to the FAZ using the source-ip option, and diag sniffer shows the flow of packets, albeit with RSTs in the flow. The FG definition is added to the FAZ, still, the FG reports it can't communicate with the FAZ.

 

config log fortianalyzer setting set status enable set source-ip 192.168.24.1 set server 192.168.40.15 set reliable enable end

MIN-FW-001 # exec log fortianalyzer test-connectivity Failed to get FAZ's status.

The sniffer flow from the test-connectivity command:

MIN-FW-001 # diag sniffer packet any "host 192.168.40.15" 4 interfaces=[any] filters=[host 192.168.40.15] 1303.708288 ipsec_CT out 192.168.24.1.1364 -> 192.168.40.15.514: syn 4266655446 1303.724212 ipsec_CT in 192.168.40.15.514 -> 192.168.24.1.1364: syn 1201754132 ack 4266655447 1303.724493 ipsec_CT out 192.168.24.1.1364 -> 192.168.40.15.514: ack 1201754133 1303.726584 ipsec_CT out 192.168.24.1.1364 -> 192.168.40.15.514: psh 4266655447 ack 1201754133 1303.742509 ipsec_CT in 192.168.40.15.514 -> 192.168.24.1.1364: ack 4266655740 1303.745975 ipsec_CT in 192.168.40.15.514 -> 192.168.24.1.1364: psh 1201756905 ack 4266655740 1303.746874 ipsec_CT out 192.168.24.1.1364 -> 192.168.40.15.514: ack 1201754133 1313.722355 ipsec_CT out 192.168.24.1.1364 -> 192.168.40.15.514: fin 4266655740 ack 1201754133 1313.738176 ipsec_CT in 192.168.40.15.514 -> 192.168.24.1.1364: fin 1201756914 ack 4266655741 1313.738539 ipsec_CT out 192.168.24.1.1364 -> 192.168.40.15.514: rst 4266655741

 

Any ideas? Why the RST packets?

As the RST breaks the session, diag debug flow shows 'no session matched' messages after the RSTs appear.

 

Thanks

 

Kind regards, Jaap
7 REPLIES 7
emnoc
Esteemed Contributor III

 

Things to check

 

1: Are you going out the right interface ( check  route, route-table )

 

2: Any FAZ limits or capacity ( review systems logs )

 

3: can you reboot the FAZ

 

4: can you run a packet capture on  at the FAZ

 

 

PCNSE 

NSE 

StrongSwan  

JaapHoetmer
New Contributor III

Thanks for the help emnoc.

 

[ol]
  • Routing seems to be ok, as indicated by the handshake and exchange in the sniffer trace above, and as per routing table.
  • Checked for FAZ limits, no problem there.
  • Tried to reboot the FAZ to no avail, as the problem persists after the reboot.
  • I'll try that packet capture on the FAZ. I'll also run a sniffer trace on the peer firewall.[/ol]

    Thanks

     

  • Kind regards, Jaap
    MrSinners

    You could try the following debugging on the fortigate to see if there are errors in the communication between the FG and the FAZ:

     

    # diagnose debug enable # diagnose debug application miglogd -1

    JaapHoetmer

    Thanks MrSinners, that helped. An error message appeared related to the SSL connection:

     

    miglog_faz_connect()-371: oftp_connect(global-faz) failed: ssl_connect() failed: 5

     

    Turns out there's an issue with the SSL certs on the FAZ, when I disabled the encryption on the FG it started to work:

     

    set enc-algorithm disable

     

    However, the other FGs still use SSL so I guess they use a different but valid certificate. I am not even sure where the certificate is specified for the FG logging.

     

    Thanks, you guys are great.

    Kind regards, Jaap
    emnoc
    Esteemed Contributor III

    You can set the  local system cert from the cli

     

    e.g

    config  system  certificate local

     

     

    but did you try setting  the ssl protocol or types in the config global setup

     

    config system global

     set enc-algorithm  low ( not ideal but )

      ssl-low-encryption enable

    end

     

    PCNSE 

    NSE 

    StrongSwan  

    AtiT
    Valued Contributor

    Hello JaapHoetmer,

     

    Could you post here the FAZ and the FGT version? In your first post you wrote: "I have several FGs already sending logs to a FAZ, over ipsec connections,..." This FortiGate should also send logs over IPSec? If yes, your settings in the first post is for SSL.

    For IPSec you need to disable enc-alogrithm: # config log fortianalyzer setting # set enc-algorithm disable

    then you need enable IPsec encryption: # set encrypt enable

    and also set the local ID and PSK according to the FortiAnalyzer settings: # set localid <set_the_ID> # set psksecret <set_the_PSK>

    But probably you mean that you have IPSec connection established to somewhere and sending logs over this IPSec. Your FGT is usig default encryption for OFTP set enc-algorithm default as not shown in your config under config log fortianalyzer setting.

    Could you check the FAZ settings what encryption level is allowed? Use the get sys global on the FAZ and check the encryption algorithm: enc-algorithm : low

     

    The enc-algorithm on the FGT should be the same or higher than on the FAZ.

     

    AtiT
    --------------------
    NSE 8, CCNP R+S

    MikePruett
    Valued Contributor

    Do what AtiT recommends and you should be golden. I always set mine up this way and it seems to work better than using the default algorithm settings.