VM Fortimanager Spoke Probe Failed

dupcu · ‎06-03-2024

Hi,

I get errors when I want to add a device to Fortimanager.
The devices are on the same network and have icmp access to each other. All outputs are as follows. Why am I getting errors, can you help me?

Manager # Request [dvm/cmd:dvm/cmd/discover/device ...:5825:2]:
{ "client": "dvm\/cmd:dvm\/cmd\/discover\/device ...:5825", "id": 2, "method": "exec", "params": [{ "data": { "host": "192.168.1.17", "passwd": "******", "usr": "admin"}, "target start": 1, "url": "probe\/device"}], "root": "deployment", "session": -1}
Chkperm Response [dvm/cmd:dvm/cmd/discover/device ...:5825:2]:
{ "id": 2, "result": [{ "status": { "code": 0, "message": "OK"}, "url": "probe\/device"}], "session": -1}
start_dmsvc_probe_device,788: dev_oid=0, host=192.168.1.17, flags=0x0
__enter_state,440: dev_oid=0, start check_reachable
Start probe_dev.check_reachable ... 
__on_state,446: dev_oid=0, check_reachable, done, events=16 r=0
__enter_state,440: dev_oid=0, start start_probe_session
Request [dmserver:885:8]:
{ "client": "dmserver:885", "id": 8, "method": "exec", "params": [{ "data": { "detect_only": 0, "force_probe": 0, "ip": "192.168.1.17", "passwd": "******", "usr": "admin"}, "url": "start\/probe\/session"}], "root": "fgfm"}
Start probe_dev.start_probe_session ... 
Response [unknown]:
{ "id": 8, "result": [{ "status": { "code": 1, "message": "internal error"}, "url": "start\/probe\/session"}]}
__on_state,446: dev_oid=0, start_probe_session, done, events=8 r=0
__fgfm_cb,619: error: probe_status=1, proto=1
__p_o_cleanup,548: cleanup...
__p_finish,539: status=-15, has_devinfo=0
Response [dvm/cmd:dvm/cmd/discover/device ...:5825:2]:
{ "id": 2, "result": [{ "status": { "code": -35007, "message": "Fgfm protocol error"}, "url": "probe\/device"}]}
__o_cleanup,119: fgfm probe cleanup...
Request [dvm/cmd:dvm/cmd/discover/device ...:5966:2]:
{ "client": "dvm\/cmd:dvm\/cmd\/discover\/device ...:5966", "id": 2, "method": "exec", "params": [{ "data": { "host": "192.168.1.17", "passwd": "******", "usr": "admin"}, "target start": 1, "url": "probe\/device"}], "root": "deployment", "session": -1}
Chkperm Response [dvm/cmd:dvm/cmd/discover/device ...:5966:2]:
{ "id": 2, "result": [{ "status": { "code": 0, "message": "OK"}, "url": "probe\/device"}], "session": -1}
start_dmsvc_probe_device,788: dev_oid=0, host=192.168.1.17, flags=0x0
__enter_state,440: dev_oid=0, start check_reachable
Start probe_dev.check_reachable ... 
__on_state,446: dev_oid=0, check_reachable, done, events=16 r=0
__enter_state,440: dev_oid=0, start start_probe_session
Request [dmserver:885:9]:
{ "client": "dmserver:885", "id": 9, "method": "exec", "params": [{ "data": { "detect_only": 0, "force_probe": 0, "ip": "192.168.1.17", "passwd": "******", "usr": "admin"}, "url": "start\/probe\/session"}], "root": "fgfm"}
Start probe_dev.start_probe_session ... 
Response [unknown]:
{ "id": 9, "result": [{ "status": { "code": 1, "message": "internal error"}, "url": "start\/probe\/session"}]}
__on_state,446: dev_oid=0, start_probe_session, done, events=8 r=0
__fgfm_cb,619: error: probe_status=1, proto=1
__p_o_cleanup,548: cleanup...
__p_finish,539: status=-15, has_devinfo=0
Response [dvm/cmd:dvm/cmd/discover/device ...:5966:2]:
{ "id": 2, "result": [{ "status": { "code": -35007, "message": "Fgfm protocol error"}, "url": "probe\/device"}]}
__o_cleanup,119: fgfm probe cleanup...

Regards,

Umit.

dupcu

smkml · ‎06-05-2024

Hi Umit,

If your FMG CLI able to enable the configuration below please enabled it.
#config system global

#set fgfm-peercert-withoutsn enable

While adding the device from FMG, in your FGT CLI, please run the command below:

#exec central-mgmt register-device <FMG S/N> <password>

View solution in original post

jiahoong112 · ‎06-03-2024

To start off, please follow this troubleshooting guide for Fortigate-FortiManager connections: https://community.fortinet.com/t5/FortiManager/Troubleshooting-Tip-How-to-troubleshoot-connectivity-...

From your sniffer packet snippet, I can see that the traffic from Fortigate is egressing port1. Assuming that port1 is the interface that you reach FortiManager with, please ensure that you have 'FMG-Access' enabled in the port configuration's Administrative Access.

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**

dupcu · ‎06-04-2024

Hi,

The outputs are as follows.

the problem persists.

------------------------------------------------------------

Spokee # execute telnet 192.168.1.18 541
Trying 192.168.1.18...
Connected to 192.168.1.18.


Spokee # diagnose fdsm central-mgmt-status
Connection status: Down
Registration status: Unknown
Serial: 

Spokee # 20

2024-06-04 10:55:22 FGFMs: client:send:
get ip
serialno=FGVMEVN7VT1RL55D
mgmtid=757398627
platform=FortiGate-VM64
fos_ver=700
minor=0
patch=15
build=632
branch=632
maxvdom=1
fg_ip=192.168.1.17
hostname=Spokee
harddisk=yes
biover=04000002
harddisk_size=30720
logdisk_size=30235
mgmt_mode=normal
enc_flags=0
first_fmgid=    
probe_mode=yes
vdom=root
intf=port1


2024-06-04 10:55:22 FGFMs: serial no FMG-VMTM24008871 saved to FMG detect file
2024-06-04 10:55:23 FGFMs: Cleanup session 0xffceab0, 192.168.1.18.
2024-06-04 10:55:23 FGFMs: Destroy session 0xffceab0, 192.168.1.18.
2024-06-04 10:55:23 FGFMs: Create session 0xffceab0.
2024-06-04 10:55:23 FGFMs: setting session 0xffceab0 exclusive=0
2024-06-04 10:55:23 FGFMs: Connect to 192.168.1.18:541, local 192.168.1.17:1410.
2024-06-04 10:55:23 FGFMs: set_fgfm_sni SNI<support.fortinet-ca2.fortinet.com>
2024-06-04 10:55:23 FGFMs: Load Cipher [ALL:!RC4:!EXPORT:@STRENGTH]
2024-06-04 10:55:23 FGFMs: Cleanup session 0xffceab0, 192.168.1.18.
2024-06-04 10:55:23 FGFMs: Destroy session 0xffceab0, 192.168.1.18.
2024-06-04 10:55:23 FGFMs: __detect_fmg_create: start a new detect request(192.168.1.18)
2024-06-04 10:55:23 FGFMs: Create session 0xffcafe0.
2024-06-04 10:55:23 FGFMs: setting session 0xffcafe0 exclusive=0
2024-06-04 10:55:23 FGFMs: Connect to 192.168.1.18:541, local 192.168.1.17:6215.
2024-06-04 10:55:23 FGFMs: set_fgfm_sni SNI<support.fortinet-ca2.fortinet.com>
2024-06-04 10:55:23 FGFMs: Load Cipher [ALL:!RC4:!EXPORT:@STRENGTH]
2024-06-04 10:55:23 FGFMs: __handle_detect_fmg_req: detect session doesn't exist, start a new one
2024-06-04 10:55:23 FGFMs: before SSL initialization
2024-06-04 10:55:23 FGFMs:       CA to broadcast: subject fortinet-subca2003, issuer fortinet-ca2
2024-06-04 10:55:23 FGFMs:       CA to broadcast: subject support, issuer support
2024-06-04 10:55:23 FGFMs:       CA to broadcast: subject fortinet-ca2, issuer fortinet-ca2
2024-06-04 10:55:23 FGFMs:       CA to broadcast: subject fortinet-subca2001, issuer fortinet-ca2




2024-06-04 10:55:23 FGFMs: Broadcast 4 CA subject names to FMG
2024-06-04 10:55:23 FGFMs: SSLv3/TLS write client hello
2024-06-04 10:55:23 FGFMs: [__get_error:1052] error=5, errno=104,Connection reset by peer.
2024-06-04 10:55:24 FGFMs: Cleanup session 0xffcafe0, 192.168.1.18.
2024-06-04 10:55:24 FGFMs: Destroy session 0xffcafe0, 192.168.1.18.
2024-06-04 10:55:25 FGFMs: __detect_fmg_destroy_internal: send detect fmg resp for 192.168.1.18 to client
2024-06-04 10:55:25 FGFMs: __send_detect_fmg_response: sending detect fmg response to client succeeded
2024-06-04 10:55:25 FGFMs: __remove_detect_fmg: Removing detect fmg service
2024-06-04 10:55:25 FGFMs: Destroy stream_svr_obj

dupcu

smkml · ‎06-05-2024

Hi Umit,

If your FMG CLI able to enable the configuration below please enabled it.
#config system global

#set fgfm-peercert-withoutsn enable

While adding the device from FMG, in your FGT CLI, please run the command below:

#exec central-mgmt register-device <FMG S/N> <password>

dupcu · ‎06-05-2024

Hi,

Thank you for your help.
The set fgfm-peercert-withoutsn enable command solved my problem.

dupcu