Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
massive627
New Contributor II

FMG 7.4.3 trial VM - probe fail

I'm trying to add Fortigate to FMG have tried version 7.0.15, 7.2.0, 6.4.10 and always get probe failed, even after emabling low encryption:

 

config system global

set adom-status enable

set enc-algorithm low

set fgfm-ssl-protocol tlsv1.0

set usg enable

end

 

Anyone have any idea if any other config needs chaing? I also tried FMG 7.0.12 and got probe failure as well.

port1 on the foritgate VM is enabled for FMG-Access

 

I installed FMG on eve-ng and ESXi, every time I get probe failed.

 

This is the debug from the fortigate, it shows connectivity is fine?

 

FGVMEVWXJNWHYO97 # diagnose debug enable

FGVMEVWXJNWHYO97 #
FGVMEVWXJNWHYO97 # diagnose debug application fgfmd -1
Debug messages will be on for 30 minutes.

FGVMEVWXJNWHYO97 # FGFMs: Create session 0xfb19c50.
FGFMs: setting session 0xfb19c50 exclusive=0
FGFMs: Connect to 172.16.10.100:541, local 172.16.10.110:4840.
FGFMs: set_fgfm_sni SNI<support.fortinet-ca2.fortinet.com>
FGFMs: Load Cipher [ALL:!RC4:!EXPORT:@STRENGTH]
FGFMs: Load TLS 1.3 Cipher [TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256]
FGFMs: before SSL initialization
FGFMs: CA to broadcast: subject fortinet-subca2003, issuer fortinet-ca2
FGFMs: CA to broadcast: subject support, issuer support
FGFMs: CA to broadcast: subject fortinet-ca2, issuer fortinet-ca2
FGFMs: CA to broadcast: subject fortinet-subca2001, issuer fortinet-ca2
FGFMs: Broadcast 4 CA subject names to FMG
FGFMs: SSLv3/TLS write client hello
FGFMs: SSLv3/TLS write client hello
FGFMs: SSLv3/TLS read server hello
FGFMs: SSLv3/TLS write change cipher spec
FGFMs: SSLv3/TLS write client hello
FGFMs: SSLv3/TLS write client hello
FGFMs: SSLv3/TLS read server hello
FGFMs: TLSv1.3 read encrypted extensions
FGFMs: SSLv3/TLS read server certificate request
FGFMs: SSLv3/TLS read server certificate
FGFMs: TLSv1.3 read server certificate verify
FGFMs: The subject CN in peer's certificate: FMG-VMTM24010412
FGFMs: The issuer CN in peer's certificate: support
FGFMs: SSLv3/TLS read finished
FGFMs: SSLv3/TLS write client certificate
FGFMs: SSLv3/TLS write certificate verify
FGFMs: SSLv3/TLS write finished
FGFMs: SSL negotiation finished successfully
FGFMs: client:send:
get auth
serialno=FGVMEVWXJNWHYO97
mgmtid=00000000-0000-0000-0000-000000000000
platform=FortiGate-VM64-KVM
fos_ver=700
minor=4
patch=4
build=2662
branch=2662
maxvdom=2
fg_ip=172.16.10.110
hostname=FGVMEVWXJNWHYO97
harddisk=no
biover=04000002
mgmt_mode=normal
enc_flags=0
mgmtip=172.16.10.110
mgmtport=443


FGFMs: SSL negotiation finished successfully
FGFMs: SSL negotiation finished successfully
FGFMs: SSLv3/TLS read server session ticket
FGFMs: SSL negotiation finished successfully
FGFMs: SSL negotiation finished successfully
FGFMs: SSLv3/TLS read server session ticket
FGFMs: Cleanup session 0xfb19c50, 172.16.10.100.
FGFMs: Destroy session 0xfb19c50, 172.16.10.100.
FGFMs: Create session 0xfb19c50.
FGFMs: setting session 0xfb19c50 exclusive=0
FGFMs: Connect to 172.16.10.100:541, local 172.16.10.110:4842.
FGFMs: set_fgfm_sni SNI<support.fortinet-ca2.fortinet.com>
FGFMs: Load Cipher [ALL:!RC4:!EXPORT:@STRENGTH]
FGFMs: Load TLS 1.3 Cipher [TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256]
FGFMs: before SSL initialization
FGFMs: CA to broadcast: subject fortinet-subca2003, issuer fortinet-ca2
FGFMs: CA to broadcast: subject support, issuer support
FGFMs: CA to broadcast: subject fortinet-ca2, issuer fortinet-ca2
FGFMs: CA to broadcast: subject fortinet-subca2001, issuer fortinet-ca2
FGFMs: Broadcast 4 CA subject names to FMG
FGFMs: SSLv3/TLS write client hello
FGFMs: SSLv3/TLS write client hello
FGFMs: SSLv3/TLS read server hello
FGFMs: SSLv3/TLS write change cipher spec
FGFMs: SSLv3/TLS write client hello
FGFMs: SSLv3/TLS write client hello
FGFMs: SSLv3/TLS read server hello
FGFMs: TLSv1.3 read encrypted extensions
FGFMs: SSLv3/TLS read server certificate request
FGFMs: SSLv3/TLS read server certificate
FGFMs: TLSv1.3 read server certificate verify
FGFMs: The subject CN in peer's certificate: FMG-VMTM24010412
FGFMs: The issuer CN in peer's certificate: support
FGFMs: SSLv3/TLS read finished
FGFMs: SSLv3/TLS write client certificate
FGFMs: SSLv3/TLS write certificate verify
FGFMs: SSLv3/TLS write finished
FGFMs: SSL negotiation finished successfully
FGFMs: client:send:
get auth
serialno=FGVMEVWXJNWHYO97
mgmtid=00000000-0000-0000-0000-000000000000
platform=FortiGate-VM64-KVM
fos_ver=700
minor=4
patch=4
build=2662
branch=2662
maxvdom=2
fg_ip=172.16.10.110
hostname=FGVMEVWXJNWHYO97
harddisk=no
biover=04000002
mgmt_mode=normal
enc_flags=0
mgmtip=172.16.10.110
mgmtport=443

1 Solution
massive627

I applied this command to FMG and now I can add device

 

FMG-VM64-KVM # config system global

(global)# set fgfm-peercert-withoutsn enable

 

I found this article that explains it.

 

https://community.fortinet.com/t5/FortiManager/Technical-Tip-How-to-register-a-new-cluster-when-Fort...

View solution in original post

3 REPLIES 3
Quint021
Staff
Staff

Hello @massive627

Are you able to provide the debugs on Fortimanager's end as well? Please refer to the following link and provide the additional information for review.

https://community.fortinet.com/t5/FortiManager/Troubleshooting-Tip-How-to-troubleshoot-connectivity-...

Kind Regards,

massive627
New Contributor II

@Quint021  Thank you for the reply. Here is the debug on FMG

2024-07-04 16:22:10 FGFMs(probing...): __get_handler: SNs don't match <FortiGate> <FGVMEVWXJNWHYO97>, need to examine later
2024-07-04 16:22:10 FGFMs(probing...): __get_handler:1026: serial number (FGVMEVWXJNWHYO97) in 'get' message doesn't match the subject CN (FortiGate) in peer's certificate.

2024-07-04 16:22:10 FGFMs(probing...): Cleanup session 0x560325e4f110, 172.16.10.110.
2024-07-04 16:22:10 Response:
2024-07-04 16:22:10 { "id": 2, "result": [{ "status": { "code": 5, "message": "device serial number conflicted"}, "url": "start\/probe\/session"}]}
2024-07-04 16:22:10 Response [unknown]:
2024-07-04 16:22:10 { "id": 2, "result": [{ "status": { "code": 5, "message": "device serial number conflicted"}, "url": "start\/probe\/session"}]}
2024-07-04 16:22:10 FGFMs(probing...): Destroy session 0x560325e4f110, 172.16.10.110.
2024-07-04 16:22:24 FGFMs(probing...): Create session 0x560325e4f110.
2024-07-04 16:22:24 FGFMs(probing...): Incoming 172.16.10.110 local 172.16.10.100.
2024-07-04 16:22:24 FGFMs: Load Cipher [ALL:-NULL:-aNULL:@STRENGTH]
2024-07-04 16:22:24 FGFMs: ssl_proto.c,642: TLSv1.3 before SSL initialization
2024-07-04 16:22:24 FGFMs: ssl_proto.c,642: TLSv1.3 before SSL initialization
2024-07-04 16:22:24 FGFMs: Got client SNI information : support.fortinet-ca2.fortinet.com
2024-07-04 16:22:24 FGFMs: __get_certid_from_sni cerid=0, cn<fortinet-subca2001>
2024-07-04 16:22:24 FGFMs: __get_certid_from_sni cerid=0, expire at=2056
2024-07-04 16:22:24 FGFMs: __get_certid_from_sni cerid=1, cn<support>
2024-07-04 16:22:24 FGFMs: __get_certid_from_sni cerid=1, expire at=2038
2024-07-04 16:22:24 FGFMs: use certificate 1, certfile=/etc/cert/local/Fortinet_Local2.cer, keyfile=/etc/cert/local/Fortinet_Local2.key
2024-07-04 16:22:24 FGFMs: ssl_proto.c,642: TLSv1.3 SSLv3/TLS read client hello
2024-07-04 16:22:24 FGFMs: ssl_proto.c,642: TLSv1.3 SSLv3/TLS write server hello
2024-07-04 16:22:24 FGFMs: ssl_proto.c,642: TLSv1.3 SSLv3/TLS write change cipher spec
2024-07-04 16:22:24 FGFMs: ssl_proto.c,642: TLSv1.3 TLSv1.3 early data
2024-07-04 16:22:24 FGFMs: ssl_proto.c,642: TLSv1.3 TLSv1.3 early data
2024-07-04 16:22:24 FGFMs: Got client SNI information : support.fortinet-ca2.fortinet.com
2024-07-04 16:22:24 FGFMs: __get_certid_from_sni cerid=0, cn<fortinet-subca2001>
2024-07-04 16:22:24 FGFMs: __get_certid_from_sni cerid=0, expire at=2056
2024-07-04 16:22:24 FGFMs: __get_certid_from_sni cerid=1, cn<support>
2024-07-04 16:22:24 FGFMs: __get_certid_from_sni cerid=1, expire at=2038
2024-07-04 16:22:24 FGFMs: use certificate 1, certfile=/etc/cert/local/Fortinet_Local2.cer, keyfile=/etc/cert/local/Fortinet_Local2.key
2024-07-04 16:22:24 FGFMs: ssl_proto.c,642: TLSv1.3 SSLv3/TLS read client hello
2024-07-04 16:22:24 FGFMs: ssl_proto.c,642: TLSv1.3 SSLv3/TLS write server hello
2024-07-04 16:22:24 FGFMs: ssl_proto.c,642: TLSv1.3 TLSv1.3 write encrypted extensions
2024-07-04 16:22:24 FGFMs: CA issuer to broadcast: support
2024-07-04 16:22:24 FGFMs: CA issuer to broadcast: fortinet-ca2
2024-07-04 16:22:24 FGFMs: CA issuer to broadcast: fortinet-ca2
2024-07-04 16:22:24 FGFMs: Broadcast 3 CA subject names to FGT/FAZ
2024-07-04 16:22:24 FGFMs: ssl_proto.c,642: TLSv1.3 SSLv3/TLS write certificate request
2024-07-04 16:22:24 FGFMs: Got 4 CA subject names from FGT/FAZ broadcast
2024-07-04 16:22:24 FGFMs: Remote CA subject is /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=fortinet-subca2003.
2024-07-04 16:22:24 FGFMs: issuer matching...try next if not match... local_issuer(support), remote_CA_subject(fortinet-subca2003)
2024-07-04 16:22:24 FGFMs: Remote CA subject is /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com.
2024-07-04 16:22:24 FGFMs: issuer matching...try next if not match... local_issuer(support), remote_CA_subject(support)
2024-07-04 16:22:24 FGFMs: Root issuer matched, local=remote=support
2024-07-04 16:22:24 FGFMs: ssl_proto.c,642: TLSv1.3 SSLv3/TLS write certificate
2024-07-04 16:22:24 FGFMs: ssl_proto.c,642: TLSv1.3 TLSv1.3 write server certificate verify
2024-07-04 16:22:24 FGFMs: ssl_proto.c,642: TLSv1.3 SSLv3/TLS write finished
2024-07-04 16:22:24 FGFMs: ssl_proto.c,642: TLSv1.3 TLSv1.3 early data
2024-07-04 16:22:24 FGFMs: ssl_proto.c,642: TLSv1.3 TLSv1.3 early data
2024-07-04 16:22:24 FGFMs: ssl_proto.c,642: TLSv1.3 SSLv3/TLS read client certificate
2024-07-04 16:22:24 FGFMs: ssl_proto.c,642: TLSv1.3 SSLv3/TLS read certificate verify
2024-07-04 16:22:24 FGFMs: ssl_proto.c,642: TLSv1.3 SSLv3/TLS read finished
2024-07-04 16:22:24 FGFMs: ssl_proto.c,642: TLSv1.3 SSLv3/TLS write session ticket
2024-07-04 16:22:24 FGFMs: ssl_proto.c,642: TLSv1.3 SSLv3/TLS write session ticket
2024-07-04 16:22:24 FGFMs(probing...): server:
2024-07-04 16:22:24 get auth
serialno=FGVMEVWXJNWHYO97
mgmtid=00000000-0000-0000-0000-000000000000
platform=FortiGate-VM64-KVM
fos_ver=700
minor=4
patch=4
build=2662
branch=2662
maxvdom=2
fg_ip=172.16.10.110
hostname=FGVMEVWXJNWHYO97
harddisk=no
biover=04000002
mgmt_mode=normal
enc_flags=0
mgmtip=172.16.10.110
mgmtport=443

 

It is showing an error of the Fortigate serial number, but when I look at the facotry self-signed certificate the SN is correct.

 

 

Subject:
Common Name (CN)
FortiGate
Organization (O)
Fortinet Ltd.
Organization Unit (OU)
FortiGate
Locality (L)
Sunnyvale
State (ST)
California
Country/Region (C)
US
Issuer:
Common Name (CN)
FGVMEVWXJNWHYO97
Organization (O)
Fortinet
Organization Unit (OU)
Certificate Authority
Locality (L)
Sunnyvale
State (ST)
California
Country/Region (C)
US
Email Address (emailAddress)
support@fortinet.com 
massive627

I applied this command to FMG and now I can add device

 

FMG-VM64-KVM # config system global

(global)# set fgfm-peercert-withoutsn enable

 

I found this article that explains it.

 

https://community.fortinet.com/t5/FortiManager/Technical-Tip-How-to-register-a-new-cluster-when-Fort...

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors