Hi Team,
I have installed persistence agent on a client computer, and edited the windows registry to specify the server IP 10.0.200.247 (port1 interface of FortiNAC)
Noted from capturing packets along the path, that the agent tries to imitate the tcp connection to 10.0.200.247 but no reply is coming back to any syn packet.
attached also the TCP dump from the FortiNAC (attached testfile.pcap) showing syn packets from 172.16.14.27 to 10.0.200.247 but no syn-ack seen, also trying to telnet port 4568 fails from the client machine.
The default route on FortNAC on port 1 is 10.0.200.1 (Fortigate) and from the same client machine I can access FortiNAC on its port1 ip for management on port 8443 and SSH . (but not port 4568)
Tried to restart the service many times on both the client machine and the FortiNAC.
Note, it is layer 3 deployement and the host is not in an isolation network.
Also note that it is not an SSL or certificate related issue, because the TCP connection is failing to be established, I am not reaching the TLS negotiation phase.
Solved! Go to Solution.
Since you are running the new FNAC-F a common mistake is forgetting to allow the service on port configuration:
config system interface
edit port1
set allowaccess dhcp dns http-adminui https-adminui nac-agent ping radius-local snmp ssh syslog
The added confusion happens because the packet capture in FNAC is still able to receive the packets but without this command the service will not listen on that interface. Some common recommendations can be also found in this article.
Hi Mostafa
Have you installed a certificate (trusted by clients) on FNAC for agent communication?
If not then there will be no communication between them.
HI AEK, I agree, and already done this step.
Again please note that the TCP 3-way hand shake is not successful.
If it is a certificate issue, I would see in packet capture that TCP connection is done and then a failure in TLS negotiation, but this is not the case in my situation.
Anyways, I have done this step, and imported the CA that signed the PA certificate to be trusted in the client machine.
Is the port listening?
Try with telnet from your FortiGate then from the client as well.
I missed that you already tried telnet from client and it didn't work.
So can you try telnet from FortiGate?
Also try the following from FortiNAC CLI with root user:
netstat -an | grep 4568
telnet <FNAC-main-IP> 4568
tcpdump port 4568 (while trying telnet from FG and from client)
Telneting from Fortigate:
FortiGate-HQ (root) # execute telnet 10.0.200.247 4568
Trying 10.0.200.247...
From FortiNAC:
ortinac # execute enter-shell
fortinac:~$ netstat -an | grep 4568
tcp6 0 0 :::4568 :::* LISTEN
fortinac:~$ telnet 10.0.200.247 4568
Connected to 10.0.200.247
screenshot from the pcap file as taken from TCP dump from FNAC itself:
FortiGate on the same subnet can't telnet to FNAC:4568, and FortiNAC can telnet to itself on the same port. Is it possible that FortiNAC-F has an internal firewall?
systemctl status firewalld
firewall-cmd --list-all
Otherwise I don't have other ideas.
Since you are running the new FNAC-F a common mistake is forgetting to allow the service on port configuration:
config system interface
edit port1
set allowaccess dhcp dns http-adminui https-adminui nac-agent ping radius-local snmp ssh syslog
The added confusion happens because the packet capture in FNAC is still able to receive the packets but without this command the service will not listen on that interface. Some common recommendations can be also found in this article.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.