Description
This article describes how to troubleshoot VLAN change on the remote unit using FortiNAC CLI.
Scope
FortiNAC.
Solution
In this example there are addresses:
FortiNAC - 192.168.186.141
Switch - 192.168.186.146
Connect to FortiNAC using two SSH terminals. Open Terminal A and Terminal B.
Run the below commands in each terminal.
Terminal A.
FortiNAC FNVMCA
root@fnac:/root
> DumpBridgePerformance -ip 192.168.186.146 true
Enabling
FortiNAC FNVMCA
root@fnac:/root
> nacdebug -name IPAddressToMac true
Setting IPAddressToMac debug to true:
FortiNAC FNVMCA
root@fnac:/root
> nacdebug -name SnmpV1 true
Setting SnmpV1 debug to true:
FortiNAC FNVMCA
root@fnac:/root
> UpdateClients -ip 192.168.186.146
Updating the following devices.
SW1.domain.local 192.168.186.146
Done updating the clients.
Terminal B.
VLAN before the change:
FortiNAC FNVMCA
root@fnac:/bsc/logs
> tail -F output.master
.....
yams.BridgeManager INFO :: 2021-04-09 11:51:36:899 :: ********************192.168.186.146-SW1.domain.local********************
2021-04-09 11:51:36:894
PollThread-poll1
Remediation VLAN Switching enabled = true
MAC Filtering enabled = false
Don't Allow Rogues = false
Member of PHYSICAL_ADDRESS_FILTERING = false
Persistent Agent Vlan Delay = 0
SW1.domain.local Gi1/3
Remediation VLAN 111
Dead End VLAN 112
Authentication VLAN
Registration VLAN 110
Default VLAN 1
Current VLAN 1
Change VLAN first and run UpdateClients -ip 192.168.186.146 (same as step 4 in Terminal A).
VLAN after the change:
.....
yams.BridgeManager INFO :: 2021-04-09 11:59:38:064 :: ********************192.168.186.146-SW1.domain.local********************
2021-04-09 11:59:38:053
PollThread-trap2
Remediation VLAN Switching enabled = true
MAC Filtering enabled = false
Don't Allow Rogues = false
Member of PHYSICAL_ADDRESS_FILTERING = false
Persistent Agent Vlan Delay = 0
SW1.domain.local Gi1/3
Remediation VLAN 111
Dead End VLAN 112
Authentication VLAN
Registration VLAN 110
Default VLAN 1
Current VLAN 5
Disable all debug after troubleshooting:
> DumpBridgePerformance -ip x.x.x.x
Disabling debug .....
> nacdebug -name IPAddressToMac
Setting IPAddressToMac debug to false
> nacdebug -name SnmpV1
Setting SnmpV1 debug to false
Crosscheck which debug is still enabled - these do not automatically disable:
> nacdebug -true
If there is any output, then use the following disable debug command:
> nacdebug -name <Debug_Name> false
Anyway, all enabled debugs are disabled after Fortinac restart.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.