Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Nikita
New Contributor

Fortimanager can't add a new Foritgate device. (trial license)

Hello all! 

 

I installed Fortimanager VM-64 (trial version) and try to add a new Fortigate device (VM64, trial version) but no luck. 

Platform of virtualization: Vmware ESXI.

 

I tried to initiate it from Fortimanager GUI and from Fortigate GUI. 

 

When i enable debug on devices there are some errors:

 

diagnose debug enable 

diagnose debug application fgfmd -1

 

FGFMs: cert_id<0>, sni<support.>FGFMs: set_fgfm_sni SNI<support.fortinet.com> FGFMs: Load Cipher [DES:@STRENGTH] FGFMs: before SSL initialization FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS write client hello FGFMs: [__get_error:612] error=5, errno=104,Connection reset by peer.

 

Could anyone help with this question please ?  

16 REPLIES 16
brazz_FTNT
Staff
Staff

Hey, 

What are the FMG and FGT versions?

Cheers

Nikita

Thank you for answer. 

 

Versions:

Forimanager - v6.2.0-build1050 190411 (GA)

Fortigate - v6.2.0 build0866 (GA)

brazz_FTNT

[ul]
  • Are they on the same subnet ?
  • Any devices in the middle doing any inspection?
  • show me the [/ul]

           config log fortianalyzer setting        get

    Cheers

     

  • Nikita

    - Yes, on the same. 

    - No, there aren't any devices between.

     

    Fortianalyzer ? Sure ? But i try to connect to Fortimanager. 

     

     

    FortiGate-node1 (setting) # get status : disable certificate :

     

    brazz_FTNT

    Hey, 

    Thanks ,

    can you please run 

    On FMG:

    config system global get

     

    On FGT: config system central-management get

    Nikita

    FortiGate-node1 (central-management) # get mode : normal type : fortimanager schedule-config-restore: enable schedule-script-restore: enable allow-push-configuration: enable allow-push-firmware : enable allow-remote-firmware-upgrade: enable allow-monitor : enable serial-number : fmg : "<fortimanager-ip>"  fmg-source-ip : 0.0.0.0 fmg-source-ip6 : :: local-cert : vdom : root server-list: include-default-servers: enable enc-algorithm : low

     

    FMG-VM64 # config system global

    (global)# get admin-lockout-duration: 60 admin-lockout-threshold: 3 adom-mode : normal adom-rev-auto-delete: by-revisions adom-rev-max-backup-revisions: 5 adom-rev-max-revisions: 120 adom-status : disable clt-cert-req : disable console-output : standard country-flag : enable create-revision : disable daylightsavetime : enable default-disk-quota : 1000 detect-unregistered-log-device: enable device-view-mode : regular dh-params : 2048 disable-module : enc-algorithm : high faz-status : disable fgfm-local-cert : (null) fgfm-ssl-protocol : tlsv1.2 ha-member-auto-grouping: enable hitcount_concurrent : 100 hitcount_interval : 300 hostname : FMG-VM64 import-ignore-addr-cmt: disable language : english latitude : (null) ldap-cache-timeout : 86400 ldapconntimeout : 60000 log-checksum : none log-forward-cache-size: 0 longitude : (null) max-running-reports : 1 oftp-ssl-protocol : tlsv1.2 partial-install : disable perform-improve-by-ha: disable policy-hit-count : disable policy-object-in-dual-pane: disable pre-login-banner : disable remoteauthtimeout : 10 search-all-adoms : disable ssl-low-encryption : disable ssl-protocol : tlsv1.2 ssl-static-key-ciphers: enable task-list-size : 2000 timezone : (GMT+3:00) Moscow. tunnel-mtu : 1500 usg : enable vdom-mirror : disable webservice-proto : tlsv1.2 workspace-mode : disabled

     

    brazz_FTNT

    Hey, 

     

    Thanks for the update. 

    On FGT:

    Let's set the enc-algorithm to high and try adding the FGT to FMG. 

    Let me know about the results

    Cheers

    Nikita

    Hi, 

    thanks for your help! 

     

    I changed enc-algorithm to 'default'. There isn't 'high' exactly. 

    As i know the trial license supports only low enc-algorithm. 

     

    FortiGate-node1 (central-management) # show config system central-management set type fortimanager set fmg "<fortimanager-ip>" set enc-algorithm default end

     

    After changes the debug log looks a little different: 

     

    GFMs: Connect to <fortimanager-ip>:541, local <fortigate-ip>:8201. FGFMs: cert_id<0>, sni<support.>FGFMs: set_fgfm_sni SNI<support.fortinet.com> FGFMs: Load Cipher [DES:@STRENGTH] FGFMs: before SSL initialization FGFMs: SSLv3/TLS write client hello FGFMs: Cleanup session 0xcedb650, <fortimanager-ip>. FGFMs: Destroy session 0xcedb650, <fortimanager-ip>.

    brazz_FTNT

    Hello, 

    Thanks for the update. 

     

    +Did you try adding it from FGT or from FMG?

    +Also just for testing let's play with the "fgfm-ssl-protocol" on the FMG side.

     For example, let's set it to tlsv1.0 and retry again. 

    Let me know about the results. 

     

     

    below is the setting of my FMG and FGT :

     

    ==========================================================

     

    (global)# get admin-lockout-duration: 60 admin-lockout-threshold: 3 adom-mode : normal adom-rev-auto-delete: by-revisions adom-rev-max-backup-revisions: 5 adom-rev-max-revisions: 120 adom-select : enable adom-status : enable clt-cert-req : disable console-output : standard country-flag : enable create-revision : disable daylightsavetime : enable detect-unregistered-log-device: enable device-view-mode : tree dh-params : 2048 disable-module : enc-algorithm : low faz-status : disable fgfm-local-cert : (null) fgfm-ssl-protocol : tlsv1.0 ha-member-auto-grouping: enable hitcount_concurrent : 100 hitcount_interval : 300 hostname : FMG-08 import-ignore-addr-cmt: disable language : english latitude : (null) ldap-cache-timeout : 86400 ldapconntimeout : 60000 log-checksum : none log-forward-cache-size: 0 longitude : (null) max-running-reports : 1 oftp-ssl-protocol : tlsv1.0 partial-install : disable perform-improve-by-ha: disable policy-hit-count : disable policy-object-in-dual-pane: disable pre-login-banner : disable remoteauthtimeout : 10 search-all-adoms : disable ssl-low-encryption : enable ssl-protocol : tlsv1.2 tlsv1.1 tlsv1.0 ssl-static-key-ciphers: enable task-list-size : 2000 timezone : (GMT-8:00) Pacific Time (US & Canada). tunnel-mtu : 1500 usg : enable vdom-mirror : disable webservice-proto : tlsv1.2 tlsv1.1 tlsv1.0 workspace-mode : disabled

     

    FGT (central-management) # get mode : normal type : fortimanager schedule-config-restore: enable schedule-script-restore: enable allow-push-configuration: enable allow-push-firmware : enable allow-remote-firmware-upgrade: enable allow-monitor : enable serial-number : "FMG-SN" fmg : "IP" fmg-source-ip : 0.0.0.0 fmg-source-ip6 : :: local-cert : vdom : root server-list: include-default-servers: enable enc-algorithm : high

     

    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors