Description
This article describes how to troubleshoot VPN connections when FortiNAC is integrated with the Cisco ASA.
Scope
FortiNAC 8.x, 9.x.
Solution
Order of Operations (Summary):
1) Host connects to VPN
2) Radius is sent to appliance
3) Host is restricted
4) Syslog is sent to appliance
5) Agent communicates with appliance
6) Host is released from restriction and allowed appropriate network access
Detailed Order of Operations:
1) The remote user authenticates using either IPSec or SSL VPN client processes.
2) ASA sends RADIUS authentication request to appliance.
3) If authentication is successful, the ASA establishes a session and sends a syslog message to appliance containing user, IP, and other session information.
4) ASA firewall rules exist to restrict all network access from the VPN interface and remote IP address range configured for VPN connections. The rules only allow access to appliance isolation interface. DNS rules exist on the appliance to resolve all queries to its isolation interface.
5) While restricted, all user HTTP requests are redirected to a VPN captive portal on appliance. The portal page indicates that the user is currently restricted and, based upon administrator policy, can allow users to download and run an agent.
6) Once an agent executes and successfully communicates with the ASA, appliance correlates information from the agent with data from the ASA to determine the host and adapter being used for the connection. It then updates the connection status of the host/adapter and triggers policy lookup and firewall updates.
7) If the host/adapter is compliant with all necessary policies, the device is granted production network access by removing the IP address from the Restricted Network Object Group (releasing associated ACL restrictions) and moving it to an “unrestricted” Network Object Group.
8) On disconnect, the ASA sends syslog to notify FNAC of session termination.
9) IP address is added back to the Restricted Network Object Group, making address available for a new connection.
10) Restrictive VPN firewall rules once again become effective.
Troubleshooting steps:
1) Review the affected VPN client’s entry in the database (ProbeObject) to determine what information is missing. Login to the appliance CLI as root and enter RemoteAccess -remoteIP <client VPN IP>.
For example:
# RemoteAccess –remoteIP 172.16.196.10
If no results are returned, the proper syslog information was either not received or not processed. See KB article 224589 for troubleshooting steps.
2) If results are returned, ensure User Name and MAC address values are populated.
3) Proceed as appropriate:
User Name is missing: The proper syslog information was either not received or not processed. See KB article 224589 for troubleshooting steps.
MAC Address is missing: Agent information is either not received or not processed. See KB article 244783 for troubleshooting steps.
Record looks correct but client is not getting proper network access:
a) Verify the correct Network Access policy matches. Right click on the host in the host view and select Policy Details. If policy does not match under the Network Access tab or is blank, see KB article 197123.
b) If the correct policy matches, verify client's VPN IP is being removed from the NAC Network Object group in the ASA. In the appliance CLI, enter:
# nacdebug –name TelnetServer true
tail -F /bsc/logs/output.master
c) Have the client connect.
d) Press Ctrl-C to stop the tail.
e) Disable debug:
# nacdebug –name TelnetServer false
Contact Support for further assistance. Open a support ticket and provide the following:
- Software version (x.x.x.x).
- Cisco ASA version.
- Detailed description of behavior.
- Troubleshooting steps taken.
- IP address and username of test client.
- Timeframe behavior was reproduced.
- System logs (For instructions see KB article 190755).
