FortiNAC // Persistent agent behind IP phone

AEK · ‎04-13-2023

Hello Fortinet Community

We have FortiNAC 9.4.3. All corp hosts have PA agent. We enabled PA optimization on all access switches.

Without IP phone everything works fine. However when we connect a host with PA agent behind a IP phone, the PA seems not to initiate DHCP request when VLAN is changed, so the host's IP remains unchanged, until we initiate ipconfig /renew, here the IP is renewed correctly and all works fine.

This issue happens every time when VLAN is switched by FortiNAC, e.g.: from isol to prod, or from prod to isol, or from prod1 to prod2, ... etc

Any useful idea would be appreciated.

AEK

AEK · ‎04-17-2023

Hello

Thanks for your response Anthony.

After a work sessions with Fortinet support, we realized that we missed to open port TCP 4568 in some VLANs. Now it is fixed.

AEK

View solution in original post

Anthony_E · ‎04-16-2023

Hello AEK,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Anthony-Fortinet Community Team.

AEK · ‎04-17-2023

Hello

Thanks for your response Anthony.

After a work sessions with Fortinet support, we realized that we missed to open port TCP 4568 in some VLANs. Now it is fixed.

AEK

equipo · ‎04-26-2023

Hi,

We have FortiNAC 9.2.7 and we think we are experimenting same issue in the native VLAN (IP-phone + PA)

What is the number of this issue in the release note? Is it fixed in next release 9.2.8?

Thanks

AEK · ‎04-27-2023

Hello Equipo

It should work as expected as far as the required ports for PA are open on your firewall (TCP 4568).

However there is some constraints when you have PA behind IP phone.. The first time the client connects behind the IP phone you may need run dhcp renew, or just unplug and plug back the cable. This is because FNAC switches the VLAN after your client has issued the fist dhcp request.

I hope Fortinet will fix this particular issue in future release.

AEK