# diagnose fdsm central-mgmt-status Connection status: Down Registration status: Unknown
I can ping FMG and I have already enabled FMG-access on the interface.
is there a diagnose command that I could use to find out what the issue could be?
Thanks
Usual suspects: TCP ports. Make sure TCP541 is allowed if there are any devices in between with ACLs.
See allowed inbound/outbound ports:
https://docs.fortinet.com...cols/969270/open-ports
Other issues: You might want to check to see if there are fragmentation issues with the connection between FGT and FGM. I've seen it cause issues in FortiGates hosted on DSL lines.
---
Opinions expressed are my own and may not represent the official opinion of my employer.
Ping is a good start, but verify they exchange port 514 packets TCP freely diag sniffer packet any 'port 514' 4
And if it seems like they do, run debug to see inside this port 514 communication:
diag deb app fgfm 255
diag deb enable
When it is ok you get Response 200, see example here https://yurisk.info/2020/07/19/fortigate-to-fortimanager-tunnel-connection-debug/
I cant see port 514 packets are being exchanged with Fortianalyzer but not with Fortimanager
I added the system central-management config again and now it's connected to FMG, however it is on port dmz. How can I force this to connect to FMG via wan port?
I set 'set fmg-source-ip' to my wan ip address, but still all the communication are from port DMZ
you're on the right track:
config system central-management
set fmg "192.168.45.220" set fmg-source-ip 192.168.45.1
(this was previously set fmg-source-ip 0.0.0.0)
Then I reimported the config from the FortiManager since it was out of sync.
Now I see this from the FMG:
fmg.forttlab222.com # diag sniffer packet port1 'host 192.168.45.1 and tcp port 541' interfaces=[port1] filters=[host 192.168.45.1 and tcp port 541] 4.961567 192.168.45.1.2043 -> 192.168.45.220.541: psh 424943148 ack 1274271872 4.961691 192.168.45.220.541 -> 192.168.45.1.2043: psh 1274271872 ack 424943289 4.961853 192.168.45.1.2043 -> 192.168.45.220.541: ack 1274271953 10.061796 192.168.45.1.2043 -> 192.168.45.220.541: psh 424943289 ack 1274271953 ...
---
Opinions expressed are my own and may not represent the official opinion of my employer.
I did the sniffer from the fortimanager but I cant see any traffic hitting fortimanager.
from my firewall, firewall is sending out the TCP sync traffic to the FMG.
that does sound like a routing or other firewall in between.
virtual fortimanager? does the virtual environment interface mapping perhaps cause issues?
Im my case the soltion was easier. Just wanted to let you know if anyone stumbles across this.
My FGT send Logs to (and communicate with) FMG via an IPSec tunnel that is established by the onsite FGT and the HQ FGT (Where FMG is). Routing and Policies all were fine.
Finally the packet sniffer showed me the problem: FortiAnalyzer on the FGT was simply using a completely wrong source interface (it was set to auto and detected that for whatever reason) so packets did go the right way to FMG competely but had a totally wrong source ip address due to that.
This however did not affect the rest of FortiManager communication. Rolling out device config or policy package to the FGT or retrieving a config from the FGT worked fine all the time. It only affected the FortiAnalyzer.
Setting the FMG Source iP on cli did not help at all but once I manually set the correct source interface in the Log settings on the FGT it startet working like a charm...
Sometimes the solution is easier than you think ;)
cheers
Sebastian
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.