Help
ZTNA
AlexC-FTNT
Staff
Staff

Created on ‎08-21-2024 11:42 AM

Article Id 335181

Troubleshooting Tip: ZTNA tags not propagated from FortiClientEMS

Description

 

This article describes a corner-case situation when sometimes the traffic over VPN session is not passing, even if endpoint has correct tag, and IP assigned.

In this particular scenario, the user can only reach the EMS server after establishing the VPN connection via FortiClient.

Unless the EMS tag is matched, all traffic is blocked.

Once the VPN connection is up, the EMS becomes reachable seconds later, and the Telemetry connection is up.

FortiGate also receives the IP of the client, and the correct ZTNA tags from EMS.

However, the traffic is completely blocked for some time (could be minutes or hours).

 

Scope

 

FortiClientEMS 7.2.4, FortiGate, FortiClient.

 

Solution

 

The problem is triggered once the Client disconnects or restarts the computer.

In this case, FortiClient is not able to update the status on EMS (cannot inform the EMS that the local IP is no longer in use).

 

According to FortiClientEMS, there is a 3 minute timeout configured before the user is marked as 'Away' (not offline), and the tags are updated.

After 3 minutes, FortiClientEMS appears to be updating the FortiGate, but the IP of the client still appears as online on the FortiGate. 

The notification seems to be missed, so this mechanism will be improved in an upcoming version of FortiEMS. 

This problem is not expected to occur if the EMS server is reachable over internet (public IP).

 

Upon reconnection to VPN, FortiClientEMS receives the VPN record from FortiGate and automatically matches the record (as the VPN IP already exists there).

However, as the client is still offline for a short period of time after VPN comes up: until the telemetry connection is established, the FortiGate does not receive the tag (in the send-all case) as FortiClientEMS only returns the IPs for online clients.

 

The client will be unable to pass to the internet or resources until another update from FortiClientEMS to FortiGate is triggered (i.e. when another client logs in).

Restarting the fcnacd daemon on FortiGate does not have any influence.

As an alternative, an API request to update the tags can refresh the status of all clients. 

869
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.