Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Daryaya
New Contributor

connectivity issues between FortiGate and FortiManager

# diagnose fdsm central-mgmt-status Connection status: Down Registration status: Unknown

 

I can ping FMG and I have already enabled FMG-access on the interface. 

 

is there a diagnose command that I could use to find out what the issue could be?

 

Thanks

8 REPLIES 8
nicerobot_FTNT

Usual suspects: TCP ports. Make sure TCP541 is allowed if there are any devices in between with ACLs.

 

See allowed inbound/outbound ports:

https://docs.fortinet.com...cols/969270/open-ports

 

Other issues: You might want to check to see if there are fragmentation issues with the connection between FGT and FGM. I've seen it cause issues in FortiGates hosted on DSL lines.

---

Opinions expressed are my own and may not represent the official opinion of my employer.

Yurisk

Ping is a good start, but verify they exchange port 514 packets TCP freely diag sniffer packet any 'port 514' 4

And if it seems like they do, run debug to see inside this port 514 communication:

diag deb app fgfm 255 

diag deb enable

 

When it is ok you get Response 200, see example here https://yurisk.info/2020/07/19/fortigate-to-fortimanager-tunnel-connection-debug/ 

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Daryaya
New Contributor

I cant see port 514 packets are being exchanged with Fortianalyzer but not with Fortimanager

Daryaya

I added the system central-management config again and now it's connected to FMG, however it is on port dmz. How can I force this to connect to FMG via wan port? 

 

I set  'set fmg-source-ip' to my wan ip address, but still all the communication are from port DMZ

 

nicerobot_FTNT

you're on the right track:

 

config system central-management

set fmg "192.168.45.220" set fmg-source-ip 192.168.45.1

(this was previously set fmg-source-ip 0.0.0.0)

 

Then I reimported the config from the FortiManager since it was out of sync.

Now I see this from the FMG:

fmg.forttlab222.com # diag sniffer packet port1 'host 192.168.45.1 and tcp port 541' interfaces=[port1] filters=[host 192.168.45.1 and tcp port 541] 4.961567 192.168.45.1.2043 -> 192.168.45.220.541: psh 424943148 ack 1274271872 4.961691 192.168.45.220.541 -> 192.168.45.1.2043: psh 1274271872 ack 424943289 4.961853 192.168.45.1.2043 -> 192.168.45.220.541: ack 1274271953 10.061796 192.168.45.1.2043 -> 192.168.45.220.541: psh 424943289 ack 1274271953 ...

---

Opinions expressed are my own and may not represent the official opinion of my employer.

Daryaya

I did the sniffer from the fortimanager but I cant see any traffic hitting fortimanager. 

from my firewall, firewall is sending out the TCP sync traffic to the FMG.

boneyard
Valued Contributor

that does sound like a routing or other firewall in between.

 

virtual fortimanager? does the virtual environment interface mapping perhaps cause issues?

sw2090
Honored Contributor

Im my case the soltion was easier. Just wanted to let you know if anyone stumbles across this.

My FGT send Logs to (and communicate with) FMG via an IPSec tunnel that is established by the onsite FGT and the HQ FGT (Where FMG is). Routing and Policies all were fine. 

Finally the packet sniffer showed me the problem: FortiAnalyzer on the FGT was simply using a completely wrong source interface (it was set to auto and detected that for whatever reason) so packets did go the right way to FMG competely but had a totally wrong source ip address due to that.

This however did not affect the rest of FortiManager communication. Rolling out device config or policy package to the FGT or retrieving a config from the FGT worked fine all the time. It only affected the FortiAnalyzer. 

Setting the FMG Source iP on cli did not help at all but once I manually set the correct source interface in the Log settings on the FGT it startet working like a charm...

 

Sometimes the solution is easier than you think ;)

 

cheers

Sebastian

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Labels
Top Kudoed Authors