Christopher McMullan_FTNT wrote:

Could you be more specific about what's broken?

 

-FGT OS version

-What kind of settings you're trying to push down via EC profile

-The topology of the client connection (on-net vs. off-net, behind L3 device or local to FGT, etc.)

-Mobile OS being used

-FortiClient version being used

-History of the problem

-Steps you have already taken to troubleshoot or fix

-Screenshots or log entries

now I'm using v5.2.3 for FGT and latest version for FCT(android)...

my mobile console: SONY xperia TX(android v4.3)

I did try the following methods to push registration information into FortiGate which enabled EC:

1. directly via internet

2. via VPN(IPsec or SSLVPN)

firstly, FCT did show successful message after registering..

then, about waiting a seconds, FCT immediately prompt unsuccessful message response

and, failed to register to FGT..

I don't know why???...

Christopher McMullan_FTNT wrote:

As long as FCT-Access is enabled on the interface facing clients, I would run a debug on 'fcnacd' and run it by TAC for analysis:

 

diag debug reset

diag debug enable

diag debug console timestamp enable

diag debug application fcnacd -1

<attempt a client connection, then when it fails...>

diag debug reset

diag debug disable

 

The diagnostics should show when/why the association failed, and with a timestamp, would give a reasonably accurate duration for the successful part of the connection.

hello, I seem to find a problem..

on the cellular network(ex: 3G) or VPN over cellular network, the endpoint control function does NOT get good working..

how can I stay away from this problem???

Christopher McMullan_FTNT wrote:

Anecdotally, I've used EC over LTE with little or no issue. Does your client frequently connect, disconnect, and re-connect to the FGT?

 

I still think a capture of debug output from 'fcnacd' would help here.

HOSTNAME=localhost
OSVER=Android Phone 4.3
USER=Android
DESC=Sony LT29i 9.2.A.1.205
COM_MAN=Sony
COM_MODEL=LT29i
CPU=ARM
MEM=847
UPTIME=1433134482
EP_CHKSUM=

2015-06-03 00:13:52 [__update_ec_record_sys_data:1075] reg_status: 0
2015-06-03 00:13:52 [__update_ec_record_sys_data:1087] fct_os: AOS00
2015-06-03 00:13:52 [__update_ec_record_sys_data:1091] fct_ver: 5.2.5.0103
2015-06-03 00:13:52 [__update_ec_record_sys_data:1128] enabled_features(20): av(0)fw(0)wf(1)as(0)vn(1)vs(0)
2015-06-03 00:13:52 [__update_ec_record_sys_data:1141] installed_features(20): av(0)fw(0)wf(1)as(0)vn(1)vs(0)
2015-06-03 00:13:52 [__update_ec_record_sys_data:1159] hostname: localhost
2015-06-03 00:13:52 [__update_ec_record_sys_data:1174] osver: Android Phone 4.3
2015-06-03 00:13:52 [__update_ec_record_sys_data:1179] user: Android
2015-06-03 00:13:52 [__update_ec_record_sys_data:1164] desc: Sony LT29i 9.2.A.1.205
2015-06-03 00:13:52 [__update_ec_record_sys_data:1190] comp manu.: Sony
2015-06-03 00:13:52 [__update_ec_record_sys_data:1194] comp model: LT29i
2015-06-03 00:13:52 [__update_ec_record_sys_data:1198] cpu model: ARM
2015-06-03 00:13:52 [__update_ec_record_sys_data:1202] mem: 847
2015-06-03 00:13:52 [__update_ec_record_sys_data:1206] uptime: 1433134482
2015-06-03 00:13:52 [__update_ec_record_sys_data:1262] forticlient csum:
2015-06-03 00:13:52 [fcnacd_reg_sync.c:659] sendto 10.1.1.16, type=0x00, datalen=344
2015-06-03 00:13:52 [fcnacd_forticlient_request_fcc_connection:1995] base64 decoded fccinfo data: VER=1
FCTVER=5.2.5.0103
UID=CB5A1M13YX
IP=223.141.236.147
HOST=localhost
USER=Android
OSVER=Android Phone 4.3

2015-06-03 00:13:52 [__process_reg_msg:2369] forticlient CB5A1M13YX is registered!
2015-06-03 00:13:52 [__process_reg_msg:2370] licence granted for CB5A1M13YX
2015-06-03 00:13:52 fcnacd_forticlient.c:389:0 fcnacd_forticlient_change_state: called
2015-06-03 00:13:52 change state to: FCNAC_FORTICLIENT_STATE_SEND_REG_REPLY
2015-06-03 00:13:52 fcnacd_forticlient.c:2401:0 fcnacd_forticlient_send_reg_reply: called
2015-06-03 00:13:52 fcnacd_forticlient.c:2429:0 fcnacd_forticlient_prepare_reg_reply: called
2015-06-03 00:13:52 [fcnacd_forticlient_prepare_reg_reply:2447] FCREGRPLY = FCREGRPLY: REG|0-FG200P3911600080:1:FG200P3911600080:root:123:7245:0:99:0|
2015-06-03 00:13:52 [ec_find_matching_profile:1943] find matching profile 'default'
2015-06-03 00:13:52 [__generate_forticlient_config:3635] XML config (1018) = <?xml version="1.0" encoding="utf-8"?><forticlient_configuration generatedby="FortiGate-200B-POE v5.2.3,build0670,150318 (GA)" policy="default">
<version>5.0</version>
<endpoint_control>
<checksum>540cad63b71bc69cd5d3b9d86f9f38ba</checksum>
</endpoint_control>
<system>
<ui>
<ads>0</ads>
<password></password>
</ui>
<log_settings>
<remote_logging>
<log_upload_enabled>0</log_upload_enabled>
</remote_logging>
<onnet_local_logging>0</onnet_local_logging>
</log_settings>
<update>
<use_custom_server>0</use_custom_server>
</update>
</system>
<antivirus>
<enabled>0</enabled><real_time_protection>
<enabled>0</enabled>
</real_time_protection>
</antivirus>
<firewall>
<enabled>0</enabled>
</firewall>
<webfilter>
<enable_filter>0</enable_filter>
</webfilter>
<vpn>
<sslvpn><options><enabled>0</enabled></options></sslvpn>
<ipsecvpn><options><enabled>0</enabled></options></ipsecvpn>
</vpn>
<vulnerability_scan>
<enabled>0</enabled>
</vulnerability_scan>
</forticlient_configuration>

2015-06-03 00:13:52 fcnacd_common.c:217:0 fcnacd_send_data: called
2015-06-03 00:13:52 fcnacd_forticlient.c:389:0 fcnacd_forticlient_change_state: called
2015-06-03 00:13:52 change state to: FCNAC_FORTICLIENT_STATE_DISCONNECT
2015-06-03 00:13:52 fcnacd_forticlient.c:3921:0 fcnacd_forticlient_disconnect: called
2015-06-03 00:13:52 message_loop: checking timeouts
2015-06-03 00:13:52 fcnacd_forticlient.c:252:0 fcnacd_forticlient_read: called
2015-06-03 00:13:52 fcnacd_forticlient.c:3921:0 fcnacd_forticlient_disconnect: called
2015-06-03 00:13:52 fcnacd_forticlient.c:389:0 fcnacd_forticlient_change_state: called
2015-06-03 00:13:52 change state to: FCNAC_FORTICLIENT_STATE_DONE
2015-06-03 00:13:52 fcnacd_forticlient.c:3962:0 fcnacd_forticlient_done: called
2015-06-03 00:13:52 message_loop: checking timeouts
2015-06-03 00:13:52 fcnacd_forticlient.c:389:0 fcnacd_forticlient_change_state: called
2015-06-03 00:13:52 change state to: FCNAC_FORTICLIENT_STATE_CONNECT
2015-06-03 00:13:52 fcnacd_forticlient.c:1606:0 fcnacd_forticlient_connect: called
2015-06-03 00:13:52 message_loop: checking timeouts
2015-06-03 00:13:52 fcnacd_forticlient.c:252:0 fcnacd_forticlient_read: called
2015-06-03 00:13:52 fcnacd_forticlient.c:1606:0 fcnacd_forticlient_connect: called
2015-06-03 00:13:52 message_loop: checking timeouts
2015-06-03 00:13:52 fcnacd_forticlient.c:252:0 fcnacd_forticlient_read: called
2015-06-03 00:13:52 fcnacd_forticlient.c:1606:0 fcnacd_forticlient_connect: called
2015-06-03 00:13:52 message_loop: checking timeouts
2015-06-03 00:13:52 fcnacd_forticlient.c:252:0 fcnacd_forticlient_read: called
2015-06-03 00:13:52 fcnacd_forticlient.c:1606:0 fcnacd_forticlient_connect: called
2015-06-03 00:13:53 fcnacd_forticlient.c:389:0 fcnacd_forticlient_change_state: called
2015-06-03 00:13:53 change state to: FCNAC_FORTICLIENT_STATE_READ_REQ
2015-06-03 00:13:53 fcnacd_forticlient.c:1483:0 fcnacd_forticlient_read_req: called
2015-06-03 00:13:53 fcnacd_common.c:135:0 fcnacd_read_data: called
2015-06-03 00:13:53 message_loop: checking timeouts
2015-06-03 00:13:53 fcnacd_forticlient.c:252:0 fcnacd_forticlient_read: called
2015-06-03 00:13:53 fcnacd_forticlient.c:1483:0 fcnacd_forticlient_read_req: called
2015-06-03 00:13:53 fcnacd_common.c:135:0 fcnacd_read_data: called
2015-06-03 00:13:53 fcnacd_forticlient.c:1381:0 __extract_ftcl_id_header: called
2015-06-03 00:13:53 [__extract_ftcl_id_header:1397] received ID header = FCTUID=CB5A1M13YX
IP=223.141.236.147
MAC=CB-5A-1M-13-YX-
CAPS=1

2015-06-03 00:13:53 [__extract_ftcl_id_header:1422] received ID header = UID(CB5A1M13YX);IP(223.141.236.147);MAC(cb:5a:01:e8:e8:de);CAPS(1)
2015-06-03 00:13:53 fcnacd_forticlient.c:1365:0 fcnacd_forticlient_process_ka_msg: called
2015-06-03 00:13:53 fcnacd_forticlient.c:1028:0 __update_ec_record_sys_data: called
2015-06-03 00:13:53 [__update_ec_record_sys_data:1057] base64 decoded sys data: REG_STATUS=1
REG_FGT=FG200P3911600080
FCTOS=AOS00
FCTVER=5.2.5.0103
FCTDATE=20150529
ENABLED_FEATURE_BITMAP=20
INSTALLED_FEATURE_BITMAP=20
HOSTNAME=localhost
OSVER=Android Phone 4.3
USER=Android
DESC=Sony LT29i 9.2.A.1.205
COM_MAN=Sony
COM_MODEL=LT29i
CPU=ARM
MEM=847
UPTIME=1433134482
EP_CHKSUM=540cad63b71bc69cd5d3b9d86f9f38ba

2015-06-03 00:13:53 [__update_ec_record_sys_data:1075] reg_status: 1
2015-06-03 00:13:53 [__update_ec_record_sys_data:1079] reg_fgt: FG200P3911600080
2015-06-03 00:13:53 [__update_ec_record_sys_data:1087] fct_os: AOS00
2015-06-03 00:13:53 [__update_ec_record_sys_data:1091] fct_ver: 5.2.5.0103
2015-06-03 00:13:53 [__update_ec_record_sys_data:1128] enabled_features(20): av(0)fw(0)wf(1)as(0)vn(1)vs(0)
2015-06-03 00:13:53 [__update_ec_record_sys_data:1141] installed_features(20): av(0)fw(0)wf(1)as(0)vn(1)vs(0)
2015-06-03 00:13:53 [__update_ec_record_sys_data:1159] hostname: localhost
2015-06-03 00:13:53 [__update_ec_record_sys_data:1174] osver: Android Phone 4.3
2015-06-03 00:13:53 [__update_ec_record_sys_data:1179] user: Android
2015-06-03 00:13:53 [__update_ec_record_sys_data:1164] desc: Sony LT29i 9.2.A.1.205
2015-06-03 00:13:53 [__update_ec_record_sys_data:1190] comp manu.: Sony
2015-06-03 00:13:53 [__update_ec_record_sys_data:1194] comp model: LT29i
2015-06-03 00:13:53 [__update_ec_record_sys_data:1198] cpu model: ARM
2015-06-03 00:13:53 [__update_ec_record_sys_data:1202] mem: 847
2015-06-03 00:13:53 [__update_ec_record_sys_data:1206] uptime: 1433134482
2015-06-03 00:13:53 [__update_ec_record_sys_data:1262] forticlient csum: 540cad63b71bc69cd5d3b9d86f9f38ba
2015-06-03 00:13:53 fcnacd_forticlient.c:1344:0 __recheck_dhcp_on_net_status: called
2015-06-03 00:13:53 fcnacd_forticlient.c:389:0 fcnacd_forticlient_change_state: called
2015-06-03 00:13:53 change state to: FCNAC_FORTICLIENT_STATE_SEND_KA_REPLY
2015-06-03 00:13:53 fcnacd_forticlient.c:2477:0 fcnacd_forticlient_send_ka_reply: called
2015-06-03 00:13:53 fcnacd_forticlient.c:3726:0 fcnacd_forticlient_prepare_ka_reply: called
2015-06-03 00:13:53 [fcnacd_forticlient_prepare_ka_reply:3740] CONT = CONT|0|
2015-06-03 00:13:53 [fcnacd_forticlient_prepare_ka_reply:3749] LICENCE_VER = LICENCE_VER|99|
2015-06-03 00:13:53 [fcnacd_forticlient_prepare_ka_reply:3756] DHCP_ON_NET = DHCP_ON_NET|0|
2015-06-03 00:13:53 fcnacd_common.c:217:0 fcnacd_send_data: called
2015-06-03 00:13:53 fcnacd_forticlient.c:389:0 fcnacd_forticlient_change_state: called
2015-06-03 00:13:53 change state to: FCNAC_FORTICLIENT_STATE_DISCONNECT
2015-06-03 00:13:53 fcnacd_forticlient.c:3921:0 fcnacd_forticlient_disconnect: called
2015-06-03 00:13:53 message_loop: checking timeouts
2015-06-03 00:13:53 fcnacd_forticlient.c:252:0 fcnacd_forticlient_read: called
2015-06-03 00:13:53 fcnacd_forticlient.c:3921:0 fcnacd_forticlient_disconnect: called
2015-06-03 00:13:53 fcnacd_forticlient.c:389:0 fcnacd_forticlient_change_state: called
2015-06-03 00:13:53 change state to: FCNAC_FORTICLIENT_STATE_DONE
2015-06-03 00:13:53 fcnacd_forticlient.c:3962:0 fcnacd_forticlient_done: called
2015-06-03 00:13:53 message_loop: checking timeouts
diag debug reset2015-06-03 00:13:58 message_loop: checking timeouts

Christopher McMullan_FTNT wrote:

It looks like the 'default' EC profile was successfully applied, though...

however, in a few seconds the FCT client was unregistered and fall back on searching  status...

I don't know why???...