when could you fix the broken endpoint control function for FCT mobile version???

storaid · ‎05-28-2015

hello, fortinet

up to now, this function is still not working with VPN...

I think this problem is too long....

no plan to fix it???

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

Christopher_McMullan · ‎05-29-2015

Could you be more specific about what's broken?

-FGT OS version

-What kind of settings you're trying to push down via EC profile

-The topology of the client connection (on-net vs. off-net, behind L3 device or local to FGT, etc.)

-Mobile OS being used

-FortiClient version being used

-History of the problem

-Steps you have already taken to troubleshoot or fix

-Screenshots or log entries

Regards, Chris McMullan Fortinet Ottawa

storaid · ‎05-29-2015

Christopher McMullan_FTNT wrote:
Could you be more specific about what's broken?

-FGT OS version
-What kind of settings you're trying to push down via EC profile
-The topology of the client connection (on-net vs. off-net, behind L3 device or local to FGT, etc.)
-Mobile OS being used
-FortiClient version being used
-History of the problem
-Steps you have already taken to troubleshoot or fix
-Screenshots or log entries

now I'm using v5.2.3 for FGT and latest version for FCT(android)...

my mobile console: SONY xperia TX(android v4.3)

I did try the following methods to push registration information into FortiGate which enabled EC:

1. directly via internet

2. via VPN(IPsec or SSLVPN)

firstly, FCT did show successful message after registering..

then, about waiting a seconds, FCT immediately prompt unsuccessful message response

and, failed to register to FGT..

I don't know why???...

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

Christopher_McMullan · ‎06-01-2015

As long as FCT-Access is enabled on the interface facing clients, I would run a debug on 'fcnacd' and run it by TAC for analysis:

diag debug reset

diag debug enable

diag debug console timestamp enable

diag debug application fcnacd -1

diag debug reset

diag debug disable

The diagnostics should show when/why the association failed, and with a timestamp, would give a reasonably accurate duration for the successful part of the connection.

Regards, Chris McMullan Fortinet Ottawa

storaid · ‎06-01-2015

Christopher McMullan_FTNT wrote:
As long as FCT-Access is enabled on the interface facing clients, I would run a debug on 'fcnacd' and run it by TAC for analysis:

diag debug reset
diag debug enable
diag debug console timestamp enable
diag debug application fcnacd -1
<attempt a client connection, then when it fails...>
diag debug reset
diag debug disable

The diagnostics should show when/why the association failed, and with a timestamp, would give a reasonably accurate duration for the successful part of the connection.

hello, I seem to find a problem..

on the cellular network(ex: 3G) or VPN over cellular network, the endpoint control function does NOT get good working..

how can I stay away from this problem???

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

Christopher_McMullan · ‎06-02-2015

Anecdotally, I've used EC over LTE with little or no issue. Does your client frequently connect, disconnect, and re-connect to the FGT?

I still think a capture of debug output from 'fcnacd' would help here.

Regards, Chris McMullan Fortinet Ottawa

storaid · ‎06-02-2015

Christopher McMullan_FTNT wrote:
Anecdotally, I've used EC over LTE with little or no issue. Does your client frequently connect, disconnect, and re-connect to the FGT?

I still think a capture of debug output from 'fcnacd' would help here.

hello, capturing debug output is here:

HOSTNAME=localhost
OSVER=Android Phone 4.3
USER=Android
DESC=Sony LT29i 9.2.A.1.205
COM_MAN=Sony
COM_MODEL=LT29i
CPU=ARM
MEM=847
UPTIME=1433134482
EP_CHKSUM=

2015-06-03 00:13:52 [__update_ec_record_sys_data:1075] reg_status: 0
2015-06-03 00:13:52 [__update_ec_record_sys_data:1087] fct_os: AOS00
2015-06-03 00:13:52 [__update_ec_record_sys_data:1091] fct_ver: 5.2.5.0103
2015-06-03 00:13:52 [__update_ec_record_sys_data:1128] enabled_features(20): av(0)fw(0)wf(1)as(0)vn(1)vs(0)
2015-06-03 00:13:52 [__update_ec_record_sys_data:1141] installed_features(20): av(0)fw(0)wf(1)as(0)vn(1)vs(0)
2015-06-03 00:13:52 [__update_ec_record_sys_data:1159] hostname: localhost
2015-06-03 00:13:52 [__update_ec_record_sys_data:1174] osver: Android Phone 4.3
2015-06-03 00:13:52 [__update_ec_record_sys_data:1179] user: Android
2015-06-03 00:13:52 [__update_ec_record_sys_data:1164] desc: Sony LT29i 9.2.A.1.205
2015-06-03 00:13:52 [__update_ec_record_sys_data:1190] comp manu.: Sony
2015-06-03 00:13:52 [__update_ec_record_sys_data:1194] comp model: LT29i
2015-06-03 00:13:52 [__update_ec_record_sys_data:1198] cpu model: ARM
2015-06-03 00:13:52 [__update_ec_record_sys_data:1202] mem: 847
2015-06-03 00:13:52 [__update_ec_record_sys_data:1206] uptime: 1433134482
2015-06-03 00:13:52 [__update_ec_record_sys_data:1262] forticlient csum:
2015-06-03 00:13:52 [fcnacd_reg_sync.c:659] sendto 10.1.1.16, type=0x00, datalen=344
2015-06-03 00:13:52 [fcnacd_forticlient_request_fcc_connection:1995] base64 decoded fccinfo data: VER=1
FCTVER=5.2.5.0103
UID=CB5A1M13YX
IP=223.141.236.147
HOST=localhost
USER=Android
OSVER=Android Phone 4.3

2015-06-03 00:13:52 [__process_reg_msg:2369] forticlient CB5A1M13YX is registered!
2015-06-03 00:13:52 [__process_reg_msg:2370] licence granted for CB5A1M13YX
2015-06-03 00:13:52 fcnacd_forticlient.c:389:0 fcnacd_forticlient_change_state: called
2015-06-03 00:13:52 change state to: FCNAC_FORTICLIENT_STATE_SEND_REG_REPLY
2015-06-03 00:13:52 fcnacd_forticlient.c:2401:0 fcnacd_forticlient_send_reg_reply: called
2015-06-03 00:13:52 fcnacd_forticlient.c:2429:0 fcnacd_forticlient_prepare_reg_reply: called
2015-06-03 00:13:52 [fcnacd_forticlient_prepare_reg_reply:2447] FCREGRPLY = FCREGRPLY: REG|0-FG200P3911600080:1:FG200P3911600080:root:123:7245:0:99:0|
2015-06-03 00:13:52 [ec_find_matching_profile:1943] find matching profile 'default'
2015-06-03 00:13:52 [__generate_forticlient_config:3635] XML config (1018) = <?xml version="1.0" encoding="utf-8"?><forticlient_configuration generatedby="FortiGate-200B-POE v5.2.3,build0670,150318 (GA)" policy="default">
<version>5.0</version>
<endpoint_control>
<checksum>540cad63b71bc69cd5d3b9d86f9f38ba</checksum>
</endpoint_control>
<system>
<ui>
<ads>0</ads>
<password></password>
</ui>
<log_settings>
<remote_logging>
<log_upload_enabled>0</log_upload_enabled>
</remote_logging>
<onnet_local_logging>0</onnet_local_logging>
</log_settings>
<update>
<use_custom_server>0</use_custom_server>
</update>
</system>
<antivirus>
<enabled>0</enabled><real_time_protection>
<enabled>0</enabled>
</real_time_protection>
</antivirus>
<firewall>
<enabled>0</enabled>
</firewall>
<webfilter>
<enable_filter>0</enable_filter>
</webfilter>
<vpn>
<sslvpn><options><enabled>0</enabled></options></sslvpn>
<ipsecvpn><options><enabled>0</enabled></options></ipsecvpn>
</vpn>
<vulnerability_scan>
<enabled>0</enabled>
</vulnerability_scan>
</forticlient_configuration>

2015-06-03 00:13:52 fcnacd_common.c:217:0 fcnacd_send_data: called
2015-06-03 00:13:52 fcnacd_forticlient.c:389:0 fcnacd_forticlient_change_state: called
2015-06-03 00:13:52 change state to: FCNAC_FORTICLIENT_STATE_DISCONNECT
2015-06-03 00:13:52 fcnacd_forticlient.c:3921:0 fcnacd_forticlient_disconnect: called
2015-06-03 00:13:52 message_loop: checking timeouts
2015-06-03 00:13:52 fcnacd_forticlient.c:252:0 fcnacd_forticlient_read: called
2015-06-03 00:13:52 fcnacd_forticlient.c:3921:0 fcnacd_forticlient_disconnect: called
2015-06-03 00:13:52 fcnacd_forticlient.c:389:0 fcnacd_forticlient_change_state: called
2015-06-03 00:13:52 change state to: FCNAC_FORTICLIENT_STATE_DONE
2015-06-03 00:13:52 fcnacd_forticlient.c:3962:0 fcnacd_forticlient_done: called
2015-06-03 00:13:52 message_loop: checking timeouts
2015-06-03 00:13:52 fcnacd_forticlient.c:389:0 fcnacd_forticlient_change_state: called
2015-06-03 00:13:52 change state to: FCNAC_FORTICLIENT_STATE_CONNECT
2015-06-03 00:13:52 fcnacd_forticlient.c:1606:0 fcnacd_forticlient_connect: called
2015-06-03 00:13:52 message_loop: checking timeouts
2015-06-03 00:13:52 fcnacd_forticlient.c:252:0 fcnacd_forticlient_read: called
2015-06-03 00:13:52 fcnacd_forticlient.c:1606:0 fcnacd_forticlient_connect: called
2015-06-03 00:13:52 message_loop: checking timeouts
2015-06-03 00:13:52 fcnacd_forticlient.c:252:0 fcnacd_forticlient_read: called
2015-06-03 00:13:52 fcnacd_forticlient.c:1606:0 fcnacd_forticlient_connect: called
2015-06-03 00:13:52 message_loop: checking timeouts
2015-06-03 00:13:52 fcnacd_forticlient.c:252:0 fcnacd_forticlient_read: called
2015-06-03 00:13:52 fcnacd_forticlient.c:1606:0 fcnacd_forticlient_connect: called
2015-06-03 00:13:53 fcnacd_forticlient.c:389:0 fcnacd_forticlient_change_state: called
2015-06-03 00:13:53 change state to: FCNAC_FORTICLIENT_STATE_READ_REQ
2015-06-03 00:13:53 fcnacd_forticlient.c:1483:0 fcnacd_forticlient_read_req: called
2015-06-03 00:13:53 fcnacd_common.c:135:0 fcnacd_read_data: called
2015-06-03 00:13:53 message_loop: checking timeouts
2015-06-03 00:13:53 fcnacd_forticlient.c:252:0 fcnacd_forticlient_read: called
2015-06-03 00:13:53 fcnacd_forticlient.c:1483:0 fcnacd_forticlient_read_req: called
2015-06-03 00:13:53 fcnacd_common.c:135:0 fcnacd_read_data: called
2015-06-03 00:13:53 fcnacd_forticlient.c:1381:0 __extract_ftcl_id_header: called
2015-06-03 00:13:53 [__extract_ftcl_id_header:1397] received ID header = FCTUID=CB5A1M13YX
IP=223.141.236.147
MAC=CB-5A-1M-13-YX-
CAPS=1

2015-06-03 00:13:53 [__extract_ftcl_id_header:1422] received ID header = UID(CB5A1M13YX);IP(223.141.236.147);MAC(cb:5a:01:e8:e8:de);CAPS(1)
2015-06-03 00:13:53 fcnacd_forticlient.c:1365:0 fcnacd_forticlient_process_ka_msg: called
2015-06-03 00:13:53 fcnacd_forticlient.c:1028:0 __update_ec_record_sys_data: called
2015-06-03 00:13:53 [__update_ec_record_sys_data:1057] base64 decoded sys data: REG_STATUS=1
REG_FGT=FG200P3911600080
FCTOS=AOS00
FCTVER=5.2.5.0103
FCTDATE=20150529
ENABLED_FEATURE_BITMAP=20
INSTALLED_FEATURE_BITMAP=20
HOSTNAME=localhost
OSVER=Android Phone 4.3
USER=Android
DESC=Sony LT29i 9.2.A.1.205
COM_MAN=Sony
COM_MODEL=LT29i
CPU=ARM
MEM=847
UPTIME=1433134482
EP_CHKSUM=540cad63b71bc69cd5d3b9d86f9f38ba

2015-06-03 00:13:53 [__update_ec_record_sys_data:1075] reg_status: 1
2015-06-03 00:13:53 [__update_ec_record_sys_data:1079] reg_fgt: FG200P3911600080
2015-06-03 00:13:53 [__update_ec_record_sys_data:1087] fct_os: AOS00
2015-06-03 00:13:53 [__update_ec_record_sys_data:1091] fct_ver: 5.2.5.0103
2015-06-03 00:13:53 [__update_ec_record_sys_data:1128] enabled_features(20): av(0)fw(0)wf(1)as(0)vn(1)vs(0)
2015-06-03 00:13:53 [__update_ec_record_sys_data:1141] installed_features(20): av(0)fw(0)wf(1)as(0)vn(1)vs(0)
2015-06-03 00:13:53 [__update_ec_record_sys_data:1159] hostname: localhost
2015-06-03 00:13:53 [__update_ec_record_sys_data:1174] osver: Android Phone 4.3
2015-06-03 00:13:53 [__update_ec_record_sys_data:1179] user: Android
2015-06-03 00:13:53 [__update_ec_record_sys_data:1164] desc: Sony LT29i 9.2.A.1.205
2015-06-03 00:13:53 [__update_ec_record_sys_data:1190] comp manu.: Sony
2015-06-03 00:13:53 [__update_ec_record_sys_data:1194] comp model: LT29i
2015-06-03 00:13:53 [__update_ec_record_sys_data:1198] cpu model: ARM
2015-06-03 00:13:53 [__update_ec_record_sys_data:1202] mem: 847
2015-06-03 00:13:53 [__update_ec_record_sys_data:1206] uptime: 1433134482
2015-06-03 00:13:53 [__update_ec_record_sys_data:1262] forticlient csum: 540cad63b71bc69cd5d3b9d86f9f38ba
2015-06-03 00:13:53 fcnacd_forticlient.c:1344:0 __recheck_dhcp_on_net_status: called
2015-06-03 00:13:53 fcnacd_forticlient.c:389:0 fcnacd_forticlient_change_state: called
2015-06-03 00:13:53 change state to: FCNAC_FORTICLIENT_STATE_SEND_KA_REPLY
2015-06-03 00:13:53 fcnacd_forticlient.c:2477:0 fcnacd_forticlient_send_ka_reply: called
2015-06-03 00:13:53 fcnacd_forticlient.c:3726:0 fcnacd_forticlient_prepare_ka_reply: called
2015-06-03 00:13:53 [fcnacd_forticlient_prepare_ka_reply:3740] CONT = CONT|0|
2015-06-03 00:13:53 [fcnacd_forticlient_prepare_ka_reply:3749] LICENCE_VER = LICENCE_VER|99|
2015-06-03 00:13:53 [fcnacd_forticlient_prepare_ka_reply:3756] DHCP_ON_NET = DHCP_ON_NET|0|
2015-06-03 00:13:53 fcnacd_common.c:217:0 fcnacd_send_data: called
2015-06-03 00:13:53 fcnacd_forticlient.c:389:0 fcnacd_forticlient_change_state: called
2015-06-03 00:13:53 change state to: FCNAC_FORTICLIENT_STATE_DISCONNECT
2015-06-03 00:13:53 fcnacd_forticlient.c:3921:0 fcnacd_forticlient_disconnect: called
2015-06-03 00:13:53 message_loop: checking timeouts
2015-06-03 00:13:53 fcnacd_forticlient.c:252:0 fcnacd_forticlient_read: called
2015-06-03 00:13:53 fcnacd_forticlient.c:3921:0 fcnacd_forticlient_disconnect: called
2015-06-03 00:13:53 fcnacd_forticlient.c:389:0 fcnacd_forticlient_change_state: called
2015-06-03 00:13:53 change state to: FCNAC_FORTICLIENT_STATE_DONE
2015-06-03 00:13:53 fcnacd_forticlient.c:3962:0 fcnacd_forticlient_done: called
2015-06-03 00:13:53 message_loop: checking timeouts
diag debug reset2015-06-03 00:13:58 message_loop: checking timeouts

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

Christopher_McMullan · ‎06-03-2015

It looks like the 'default' EC profile was successfully applied, though...

Regards, Chris McMullan Fortinet Ottawa

storaid · ‎06-03-2015

Christopher McMullan_FTNT wrote:
It looks like the 'default' EC profile was successfully applied, though...

yeah, the EC profile named "default" was successfully assigned to client.

however, in a few seconds the FCT client was unregistered and fall back on searching status...

I don't know why???...

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

Christopher_McMullan · ‎06-04-2015

Neither do I. I dealt with a few of these tickets a while back, but never arrived at a firm conclusion due to various factors.

Open a TAC ticket with the output from 'fcnacd' and see how they fix it.

Regards, Chris McMullan Fortinet Ottawa

when could you fix the broken endpoint control function for FCT mobile version???

Nominate a Forum Post for Knowledge Article Creation