Hi Guys,
Can't connect FGT (ver:6.0.5) to FAZ (ver: 6.2.1 FortiAnalyzer), connectivity test fails;
FGT been added to FAZ devices;
exec log fortianalyzer test-connectivity Failed to get FAZ's status. SSL error. (-3)
Capture shows that FAZ sending RST back to FGT:
66.345323 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: syn 1195392681 66.345952 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: syn 1231566839 ack 1195392682 66.346003 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: ack 1231566840 66.346728 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: psh 1195392682 ack 1231566840 66.346857 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: psh 1231566840 ack 1195392682 66.346885 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: ack 1231567207 66.346990 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: ack 1195392843 66.347044 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: psh 1195392843 ack 1231567207 66.347382 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: ack 1195392850 67.349171 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: rst 1231567207 ack 1195392850 << FAZ sending RST
Debug messages:
FortiGate-VM64 # diagnose debug enable FortiGate-VM64 # diagnose debug application miglogd -1 Debug messages will be on for 30 minutes.
FortiGate-VM64 # <158> _rmt_connect()-1289: oftp_connect(global-faz) failed: ssl_connect() failed: 5. <124> _rmt_connect()-1289: oftp_connect(global-faz) failed: ssl_connect() failed: 5. <158> __handle_logs()-1236: 1212 bytes received <158> send_report_log_buffer()-73: Fail to sent logs to reportd. err:111(Connection refused) <124> __check_vdom_disk_usage()-2508: vfid:0 vd quota:100 total used:0
<158> __handle_logs()-1236: 2328 bytes received <158> _rmt_connect()-1289: oftp_connect(global-faz) failed: ssl_connect() failed: 5. <124> _rmt_connect()-1289: oftp_connect(global-faz) failed: ssl_connect() failed: 5.
Any idea?
Thank you for your input and help!
Solved! Go to Solution.
hi guys,
i am having the same issue with my lab on VM workstation, with the same error message.
but now it is solved for me.
this is my config :
on Fortigate :
FortiGate-VM64-1 # config log fortianalyzer setting
FortiGate-VM64-1 (setting) # set status enable
FortiGate-VM64-1 (setting) # set server 172.16.10.250
FortiGate-VM64-1 (setting) # set reliable enable
FortiGate-VM64-1 (setting) # get status : enable ips-archive : enable server : 172.16.10.250 certificate-verification: enable serial : access-config : enable enc-algorithm : low ssl-min-proto-version: default conn-timeout : 10 monitor-keepalive-period: 5 monitor-failure-retry-period: 5 certificate : source-ip : upload-option : 5-minute reliable : enable
on FAZ:
FAZVM64 # config system global
(global)# set enc-algorithm low
(global)# set ssl-low-encryption enable
(global)# set oftp-ssl-protocol tlsv1.0
(global)# end enc-algorithm setting change will cause all existing FGFM tunnel/WebService connection reset. Do you want to continue? (y/n)y
killall: fgfmsd: no process killed killall: fgfmsd: no process killed
FAZVM64 #
i hope this work with you ,, ;)
Thank You
regards
Genar
Hi guys, looking for your support with FG 5.6.12 connecting to FAZ v6.4.6
FAZ:
config system global set adom-mode advanced set adom-status enable set daylightsavetime disable set hostname "xxxxx" set latitude "0" set log-forward-cache-size 4 set longitude "180" set oftp-ssl-protocol tlsv1.0 set ssl-protocol tlsv1.2 tlsv1.1 tlsv1.0 set timezone 89 set webservice-proto tlsv1.2 tlsv1.1 tlsv1.0
FG:
config log fortianalyzer setting set status enable set ips-archive enable set server "10.12.0.100" set enc-algorithm low set conn-timeout 10 set monitor-keepalive-period 5 set monitor-failure-retry-period 5 set certificate '' set source-ip "172.20.1.12" set upload-option realtime set reliable disable
When testing:
execute log fortianalyzer test-connectivity Failed to get FAZ's status. Authentication Failed. (-19)
In FAZ there is no "unauthorized devices". Tried to reboot the FAZ and different enc/oftp settings - no luck.
In debug mode I noticed this error:
2021-07-17 19:03:57 [__SSL_info_callback:296] SSL negotiation finished successfully [ protocol : (771) TLS 1.2 ] 2021-07-17 19:03:57 [find_add_logdev:1941 FGxxxxxx] Warn Couldn't register DVM device due to can not register this device, error code -1002
and no clue what is code -1002 means - google did not help.
Has anyone met with such issue ?
ping and tcp-514 are running well, no blocks.
Thank you, works like a charm :)
This saved me a whole lot of time. Thanks genar! This works well in virtualbox and gns3.
Created on 08-16-2023 10:16 PM Edited on 08-16-2023 10:17 PM
It works on my VM workstation lab too. All VMs were using free perm trial license.
FAZ v7.2.1
FTG v7.2.3
I can even disable reliable connection (set reliable disable) on FortiGate.
Thank you genar. The Fortigate official admin guide don't talk about it and even the technic tip. The best I found official is this https://community.fortinet.com/t5/FortiGate/Technical-Tip-Connectivity-issue-between-FortiGate-and/t...
Genar, Thank you so much
I changed some lines based on your code and it worked
thank u!!!
Thank yo Frosty!
Do you recall what was the command on FGT?
this is my current settings:
FortiGate-VM64 # get log fortianalyzer setting status : enable ips-archive : enable server : 172.16.x.x enc-algorithm : low ssl-min-proto-version: default conn-timeout : 10 monitor-keepalive-period: 5 monitor-failure-retry-period: 5 certificate : source-ip : upload-option : realtime reliable : enable
How to make sure that Encryption is enabled?
Thank you!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.