Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
onurd0gan
New Contributor II

Cannot add devices

Hello,

I have fortigate and fortimanager vm trial version 6.0.2. I could not add FortiGate to Fortimanager.

There is no connectivity problem between fortigate and fortimanager, but I get "Probe Failed" error. FMG protocol is enabled on related interface. I checked task monitor logs on FortiManager, I saw "Cannot communicate with remote device (tunnel is down)" and in the description "2019-04-29 15:14:24:fgfmstarterror".

 

what might be the problem?

 

thank you,

2 Solutions
onurd0gan

Hello,

 

Thank you for your support, I solved the problem by setting enc-algorithm to low on FMG.

 

thanks

 

 

 

View solution in original post

makco10

Thanks!

 

This config solved my issue:

FortiManager:

Fortigate:

 

Regards.

Defend Your Enterprise Network With Fortigate Next Generation Firewall

View solution in original post

Defend Your Enterprise Network With Fortigate Next Generation Firewall
15 REPLIES 15
brazz_FTNT
Staff
Staff

Hey, 

 

Is there any Full inspection happening between FGT and FMG ? What is the network topology?

Thanks

 

onurd0gan

Hey,

 

It is in my vm lab environment(Vmvare fusion).

There is no another device between them. 

 

thanks

brazz_FTNT

Thanks for the reply. 

 

Can you check the (on the FGT)

config system central-management   get 

and 

 

Can you check (on the FMG)

config system global get

 

I am actually looking for level of encryption on both of these. 

 

Cheers

 

onurd0gan

Hello,

I added the output, thank you

FMG-VM64 # config system gl
 
(global)# get
admin-lockout-duration: 60
admin-lockout-threshold: 3
adom-mode           : normal 
adom-rev-auto-delete: by-revisions 
adom-rev-max-backup-revisions: 5
adom-rev-max-revisions: 120
adom-select         : enable 
adom-status         : enable 
clt-cert-req        : disable 
console-output      : standard 
country-flag        : enable 
create-revision     : disable 
daylightsavetime    : enable 
default-disk-quota  : 1000
detect-unregistered-log-device: enable 
device-view-mode    : regular 
dh-params           : 2048 
disable-module      : 
enc-algorithm       : high 
faz-status          : disable 
fgfm-local-cert     : (null)
fgfm-ssl-protocol   : tlsv1.2 
ha-member-auto-grouping: enable 
hitcount_concurrent : 100
hitcount_interval   : 300
hostname            : FMG-VM64 
import-ignore-addr-cmt: disable 
language            : english 
latitude            : (null)
ldap-cache-timeout  : 86400
ldapconntimeout     : 60000
log-checksum        : none 
log-forward-cache-size: 0
longitude           : (null)
max-running-reports : 1
oftp-ssl-protocol   : tlsv1.2 
partial-install     : disable 
perform-improve-by-ha: disable 
policy-hit-count    : disable 
policy-object-in-dual-pane: disable 
pre-login-banner    : disable 
remoteauthtimeout   : 10
search-all-adoms    : disable 
ssl-low-encryption  : disable 
ssl-protocol        : tlsv1.2 
ssl-static-key-ciphers: enable 
task-list-size      : 2000
timezone            : (GMT+3:00) Istanbul.
tunnel-mtu          : 1500
usg                 : enable 
vdom-mirror         : disable 
webservice-proto    : tlsv1.2 
workspace-mode      : disabled 

 

FortiGate-VM64 # config system central-management 
 
FortiGate-VM64 (central-management) # get
mode                : normal 
type                : fortimanager 
schedule-config-restore: enable 
schedule-script-restore: enable 
allow-push-configuration: enable 
allow-push-firmware : enable 
allow-remote-firmware-upgrade: enable 
allow-monitor       : enable 
serial-number       : 
fmg                 : "10.10.231.221"
fmg-source-ip       : 0.0.0.0
fmg-source-ip6      : ::
vdom                : root 
server-list:
include-default-servers: enable 
enc-algorithm       : low 
brazz_FTNT

Thanks 

 

Can you set (On the FGT)

enc-algorithm to default and try doing the connection one more time.

 

Thanks

 

onurd0gan

Hello,

 

I tried, but probe failed again.

 


7.712600 port1 in 10.10.231.221.42888 -> 10.10.231.110.541: rst 3489118224 ack 2398539591
18.925384 port1 out 10.10.231.110.2680 -> 10.10.231.221.541: syn 387565312 
18.925550 port1 in 10.10.231.221.541 -> 10.10.231.110.2680: syn 1708240234 ack 387565313 
18.925577 port1 out 10.10.231.110.2680 -> 10.10.231.221.541: ack 1708240235 
18.925845 port1 out 10.10.231.110.2680 -> 10.10.231.221.541: psh 387565313 ack 1708240235 
18.925897 port1 in 10.10.231.221.541 -> 10.10.231.110.2680: ack 387565416 
19.926431 port1 in 10.10.231.221.541 -> 10.10.231.110.2680: rst 1708240235 ack 387565416 

 

231.221 is manager. Why rst packets are sent?

brazz_FTNT

On the FMG side 

Lets try setting the  fgfm-ssl-protocol to sslv3 just to test the connection. 

 

Thanks

 

onurd0gan

Hello,

 

Thank you for your support, I solved the problem by setting enc-algorithm to low on FMG.

 

thanks

 

 

 

makco10

Thanks!

 

This config solved my issue:

FortiManager:

Fortigate:

 

Regards.

Defend Your Enterprise Network With Fortigate Next Generation Firewall
Defend Your Enterprise Network With Fortigate Next Generation Firewall
Labels
Top Kudoed Authors