Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ichasovshik
New Contributor II

Can't connect FGT to FAZ

Hi Guys,

 

Can't connect FGT (ver:6.0.5) to FAZ (ver: 6.2.1 FortiAnalyzer), connectivity test fails;

 

FGT been added to FAZ devices;

exec log fortianalyzer test-connectivity Failed to get FAZ's status. SSL error. (-3)

 

Capture shows that FAZ sending RST back to FGT:

 

66.345323 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: syn 1195392681 66.345952 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: syn 1231566839 ack 1195392682 66.346003 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: ack 1231566840 66.346728 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: psh 1195392682 ack 1231566840 66.346857 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: psh 1231566840 ack 1195392682 66.346885 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: ack 1231567207 66.346990 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: ack 1195392843 66.347044 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: psh 1195392843 ack 1231567207 66.347382 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: ack 1195392850 67.349171 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: rst 1231567207 ack 1195392850 << FAZ sending RST

 

Debug messages:

 

FortiGate-VM64 # diagnose debug enable FortiGate-VM64 # diagnose debug application miglogd -1 Debug messages will be on for 30 minutes.

 

FortiGate-VM64 # <158> _rmt_connect()-1289: oftp_connect(global-faz) failed: ssl_connect() failed: 5. <124> _rmt_connect()-1289: oftp_connect(global-faz) failed: ssl_connect() failed: 5. <158> __handle_logs()-1236: 1212 bytes received <158> send_report_log_buffer()-73: Fail to sent logs to reportd. err:111(Connection refused) <124> __check_vdom_disk_usage()-2508: vfid:0 vd quota:100 total used:0

<158> __handle_logs()-1236: 2328 bytes received <158> _rmt_connect()-1289: oftp_connect(global-faz) failed: ssl_connect() failed: 5. <124> _rmt_connect()-1289: oftp_connect(global-faz) failed: ssl_connect() failed: 5.

 

Any idea? 

Thank you for your input and help!

1 Solution
genar

hi guys,

i am having the same issue with my lab on VM workstation, with the same error message.

but now it is solved for me.

this is my config :

 

on Fortigate :

FortiGate-VM64-1 # config log fortianalyzer setting

FortiGate-VM64-1 (setting) # set status enable

FortiGate-VM64-1 (setting) # set server 172.16.10.250

FortiGate-VM64-1 (setting) # set reliable enable

FortiGate-VM64-1 (setting) # get status : enable ips-archive : enable server : 172.16.10.250 certificate-verification: enable serial : access-config : enable enc-algorithm : low ssl-min-proto-version: default conn-timeout : 10 monitor-keepalive-period: 5 monitor-failure-retry-period: 5 certificate : source-ip : upload-option : 5-minute reliable : enable

 

on FAZ:

FAZVM64 # config system global

(global)# set enc-algorithm low

(global)# set ssl-low-encryption enable

(global)# set oftp-ssl-protocol tlsv1.0

(global)# end enc-algorithm setting change will cause all existing FGFM tunnel/WebService connection reset. Do you want to continue? (y/n)y

killall: fgfmsd: no process killed killall: fgfmsd: no process killed

FAZVM64 #

 

i hope this work with you ,, ;)

Thank You

 

regards

Genar

View solution in original post

17 REPLIES 17
JimDiGriz
New Contributor

Hi guys,  looking for your support with FG 5.6.12 connecting to FAZ v6.4.6

FAZ:

config system global set adom-mode advanced set adom-status enable set daylightsavetime disable set hostname "xxxxx" set latitude "0" set log-forward-cache-size 4 set longitude "180" set oftp-ssl-protocol tlsv1.0 set ssl-protocol tlsv1.2 tlsv1.1 tlsv1.0 set timezone 89 set webservice-proto tlsv1.2 tlsv1.1 tlsv1.0

 

FG:

config log fortianalyzer setting set status enable set ips-archive enable set server "10.12.0.100" set enc-algorithm low set conn-timeout 10 set monitor-keepalive-period 5 set monitor-failure-retry-period 5 set certificate '' set source-ip "172.20.1.12" set upload-option realtime set reliable disable

 

When testing:

execute log fortianalyzer test-connectivity Failed to get FAZ's status. Authentication Failed. (-19)

 

In FAZ there is no "unauthorized devices". Tried to reboot the FAZ and different enc/oftp settings - no luck. 

 

In debug mode I noticed this error:

2021-07-17 19:03:57 [__SSL_info_callback:296] SSL negotiation finished successfully [ protocol : (771) TLS 1.2 ] 2021-07-17 19:03:57 [find_add_logdev:1941 FGxxxxxx] Warn Couldn't register DVM device due to can not register this device, error code -1002

 

and no clue what is code -1002 means - google did not help.

 

Has anyone met with such issue ?

ping and tcp-514 are running well, no blocks.

dcrespi
New Contributor

Thank you, works like a charm :)

net_doc
New Contributor

This saved me a whole lot of time. Thanks genar! This works well in virtualbox and gns3.

FortC
New Contributor II

It works on my VM workstation lab too. All VMs were using free perm trial license.

FAZ v7.2.1

FTG v7.2.3

I can even disable reliable connection (set reliable disable) on FortiGate.

Thank you genar. The Fortigate official admin guide don't talk about it and even the technic tip. The best I found official is this https://community.fortinet.com/t5/FortiGate/Technical-Tip-Connectivity-issue-between-FortiGate-and/t... 

ChrisBla16

Genar, Thank you so much

I changed some lines based on your code and it worked

 

FAZ Solved.jpg

 

stupid-dumb-idiot

thank u!!!

ichasovshik
New Contributor II

Thank yo Frosty!

 

Do you recall what was the command on FGT?

this is my current settings:

FortiGate-VM64 # get log fortianalyzer setting status : enable ips-archive : enable server : 172.16.x.x enc-algorithm : low ssl-min-proto-version: default conn-timeout : 10 monitor-keepalive-period: 5 monitor-failure-retry-period: 5 certificate : source-ip : upload-option : realtime reliable : enable

 

How to make sure that Encryption is enabled?

 

Thank you!

Isxaaq
New Contributor II

Many thanks @genar.This worked for me so well.:thumbs_up: 

Kind regards

Isxaaq

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors