Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
newbietonac
New Contributor II

Created on ‎08-28-2024 05:01 AM

Fortinac Agent Issue

New to Fortinac so very low knowledge of it right now. But we recently upgraded our appliance and went to virtual server from physical. Some names got changed of the actual server and while everything looks good for the most part I see where no client i look up shows it has the persistent agent. I went into the logs and it looks like it is trying to reach out to the old Fortinac server and not the new. It has the most recent agent but not looking for new server, I've changed the DNS records of bradford_tcp and bradford_udp to the new server and still no luck. Is there any other places I need to make changes to point my clients to the new server???

Labels:
366
0 Kudos
9 REPLIES 9
AEK
SuperUser
SuperUser

Created on ‎08-28-2024 05:20 AM

Check the below registry value.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Bradford Networks\Persistent Agent
   homeServer (SZ): fortinac.yourdomain.com

Make sure it points to the right FQDN or IP of your NAC server.

AEK
AEK
358
ebilcari
Staff
Staff

Created on ‎08-28-2024 05:49 AM Edited on ‎08-28-2024 05:54 AM

You can follow the verification steps shown in this article. Make sure the the 'Persistent Agent' certificate uploaded in the new FNAC includes the new domain.

If the registry entry in the end hosts shows the old domain in the 'Last Connected Server' that make take precedence temporarily as long as the old server still respond to the requests, more details in page 11. If the old server is put offline than the discovery process will be triggered.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
343
newbietonac
New Contributor II
In response to ebilcari

Created on ‎08-28-2024 06:01 AM

This looks exactly how I have it, everything in DNS is there, and a nslookup from my machine shows the correct server and name. However when i restart the fortinac agent and look at the C:\ProgramData\Bradford Networks/general logs its not pointed to the same server, it's still trying to connect to the old retired server.

 

332
0 Kudos
ebilcari
Staff
Staff
In response to newbietonac

Created on ‎08-28-2024 06:18 AM

Have you checked the registry editor output, which domain is listed in 'Last Connected Server'? I have edited/added some more information in my previous reply.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
322
0 Kudos
newbietonac
New Contributor II
In response to ebilcari

Created on ‎08-28-2024 06:24 AM

last connected server is the old server, and I edited the home server to the new FQDN and let logs show it's still trying old server which is strange to me. Almost like it's ignoring my changes. Is it possible the completely delete the old registry settings and restart?

318
0 Kudos
ebilcari
Staff
Staff
In response to newbietonac

Created on ‎08-28-2024 06:46 AM

For testing, in one of the end hots you can try to manually stop the agent service, change the registry attributes (empty all the domains) and than start the agent service again.

Pa service.PNG

 

The registry settings can also be applied via GPO from the DC verify that it is not actively pushing the old domain.

 

If you can isolate the communication with the old FNAC (from a 3rd party fw), the agent will be forced to discover other available FNAC servers in the network.

 

Also check in both FNAC servers if 'Require Connected Adapter' or 'Allowed IP Subnets' are configured:

require.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
309
0 Kudos
newbietonac
New Contributor II
In response to ebilcari

Created on ‎08-28-2024 07:27 AM

So I had that question to myself. Currently that box is checked however no subnets are in that area. Would I need to put in all my subnets or would unchecking that box allow any connections from my domain. I have 46 different sites with all different subnets, I would need to enter them all here?

253
0 Kudos
ebilcari
Staff
Staff
In response to newbietonac

Created on ‎08-28-2024 07:53 AM

That option (disabled by default) means that FNAC will keep PA connections only from hosts that are connected to one of the network devices that are managed by that FNAC. So after the PA connects to a FNAC that doesn't see that host as connected it will trigger a disconnect.

 

descriptions.PNG

During the migration phase you can choose to disable this feature. Also if there aren't multiple FNAC pods in the network this is not needed.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
246
0 Kudos
newbietonac
New Contributor II
In response to ebilcari

Created on ‎08-28-2024 08:12 AM

Ok found this, so I cleared all lines in regedit to make it search for one and it finds the old retired server still, I've removed it from DNS and manually from registry where possibly could it be finding this location from if this server is retired.

240
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.