Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
osaleem2_10
New Contributor III

Created on ‎01-25-2025 05:17 AM

FortiNAC persisting agent connection

Hi everyone,

 

recently I did fortinac enforcement to my environment, first I integrated the NAC with my fortigate, and then I checked that all machines are okay getting the right policy and right VLAN.

 

After I did the enforcement it starts shows some agent connection errors, and machines getting the wrong vlan policy because of that connection error. how can I do troubleshooting, as before enforcement machine was able to communicate with NAC, after enforcement it was assigned to Reg-VLAN because no connection!

 

Im sure there is a policy to all all traffic with all services and ports.

Im sure the machine has Agent installed and 802.1X configuration.

 

other machines in the same branch working fine as you can see on the below screenshot. only some getting that weird error. any advice?

 

Screenshot 2025-01-25 161220.png

OSALEEM2_10
OSALEEM2_10
Labels:
641
0 Kudos
4 REPLIES 4
AEK
SuperUser
SuperUser

Created on ‎01-25-2025 01:49 PM

Hi Osaleem

Most probable reasons: certificate issue, or client can't reach FNAC server.

From the client try to ping the FNAC server. If it works then try sniffer from NAC side (TCP 4568) to see if the PA traffic is reaching FNAC. If it works then probably a certificate issue.

AEK
AEK
607
osaleem2_10
New Contributor III

Created on ‎01-25-2025 10:22 PM

Hi AEK,

 

thanks for your reply.

 

do u mean reaching the NAC while the machine is in registration or remediation vlan?

 

and regarding to sniffing packet from NAC side, is this command enough to show the connection:

 

# exec enter-shell
# sudo tcpdump -nnvi port1 '(port  4568) and host <machine-IP>'

 

 

OSALEEM2_10
OSALEEM2_10
588
0 Kudos
AEK
SuperUser
SuperUser
In response to osaleem2_10

Created on ‎01-25-2025 10:25 PM

Hi Osaleem

It should reach NAC while in any VLAN: registration, remediation, prod, and so

The tcpdump command seems correct.

AEK
AEK
581
0 Kudos
ebilcari
Staff
Staff
In response to osaleem2_10

Created on ‎01-26-2025 01:51 AM

If the Agent was communicating normally before, most probably these hosts fail the compliance check and while they are in insolation/quarantine network they can't reach FNAC through the isolation port.

On the packet capture command it's better to include both FNAC interfaces and use the new syntax (without entering shell):

# execute tcpdump -i any port 4568 and host 10.x.x.x -v

The Agent logs from the end hosts should have more details.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
558
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.