Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Sadhi_Jayz
New Contributor III

Created on ‎06-16-2025 10:48 PM Edited on ‎06-16-2025 10:52 PM

ZTNA Policy Denied: Error Code: 066 - No Device Info Found

 

Hi Fortinet Community,

 

I'm currently using FortiClient EMS 7.4 and FortiGate running FortiOS 7.4. When I try to access a server located in the DMZ using ZTNA access policies with ZTNA tags, I receive the following error:

 

FCEMS.drawio.png

 

x.png

Despite this, everything seems fine on the FortiGate side:

  1. The ZTNA tags are successfully synced from EMS.
  2. The relevant endpoint appears under the correct tag in the FortiGate.
  3. Running diagnostics shows that the endpoint is recognized and tagged appropriately.
  4. "diagnose endpoint ec-shm list" command correctly shows the endpoint info.

Screenshot (106).png

I can't identify where the issue is happening—whether it's on the client, EMS, or FortiGate.

 

Has anyone encountered this issue or have suggestions on what else I should check?

 

Appreciate any help or guidance from the community!

 

Thanks.

Labels:
854
0 Kudos
1 Solution
Sadhi_Jayz
New Contributor III
In response to atakannatak

Created on ‎06-19-2025 05:31 AM

Hi @atakannatak ,

 

I have identified the issue.

 

Untitled.png

 

I had previously installed a custom EMS CA certificate (ZTNA). After removing it and reverting to the default certificate, ZTNA access started working as expected.

 

Best regards.

Sadhi

View solution in original post

782
0 Kudos
2 REPLIES 2
atakannatak
Contributor II

Created on ‎06-18-2025 09:53 AM

Hi @Sadhi_Jayz ,

 

Error 066 (“No device information found”) indicates the FortiGate did not receive the endpoint-identity header from FortiClient, so it cannot match the HTTPS request to a device record and therefore denies the ZTNA policy. The FortiClient agent is not injecting the header—most often because the ZTNA connection rule (FQDN/port) does not match the URL the user is accessing, the ZTNA certificate pairing is broken, or the client is not in a “ZTNA Connected” state.

 

https://docs.fortinet.com/document/fortigate/7.6.0/ztna-reference-guide/25473/error-codes-and-replac...

 

The following debug commands can be used to further more analysis:

 

  • diagnose endpoint record list <client-IP>

 

To see if the device record or tag updates arrive run real-time fcnacd debugs:

 

  • diagnose debug application fcnacd -1
  • diagnose debug enable

 

Troubleshoot WAD in real time to see how the proxy handles client requests:

 

  • diagnose wad debug enable category all
  • diagnose wad debug enable level verbose
  • diagnose debug enable

 

Once we have the captured output, we can trace exactly how wad handled each request and pinpoint the root cause.

 

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

 

CCIE #68781

Atakan Atak
Atakan Atak
802
Sadhi_Jayz
New Contributor III
In response to atakannatak

Created on ‎06-19-2025 05:31 AM

Hi @atakannatak ,

 

I have identified the issue.

 

Untitled.png

 

I had previously installed a custom EMS CA certificate (ZTNA). After removing it and reverting to the default certificate, ZTNA access started working as expected.

 

Best regards.

Sadhi

783
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.