Description
This article explains the causes behind an issue where inconsistent agent communication occurs due to an appliance domain existing in the allowed domains list.
Scope
All supported versions of FortiNAC.
Solution
If a domain entry in the Allowed Domains List matches that of the appliance FQDN, asymmetric routing may occur. The agent may successfully communicate with the appliance from the production network, but not from the restricted network.
Example scenario:
FQDN of FortiNAC server: fortinac-app.fortinet.com
Allowed domain: fortinet.com
Workflow:
1) The Agent in restricted VLAN sends DNS query for the appliance name.
2) Since the domain is in the Allowed Domains List, the request is forwarded to the production DNS server.
3) The name is resolved to the eth0 IP Address.
4) The Agent attempts communication using the eth0 IP address.
Sometimes the Persistent Agent logs shows successful communication, but FortiNAC shows the host status marked at Risk while PA shows the thunder strike:
Upon trying to scan or send messages to the host, the following error appears:
Error scanning host 'DESKTOP' Failed to find live (online+communicating) adapter in HostRecord. HRDBID:7580. Try Again In 10 Minutes. Wed Dec 22 12:29:20 GST 2022
or:
Error sending message host 'DESKTOP' Failed to find live (online+communicating) adapter in HostRecord. HRDBID:7580. Try Again In 10 Minutes. Wed Dec 22 12:29:41 GST 2022
To fix this, delete the domain from the Allowed Domains list. For instructions, see Allowed domains in the Administration Guide.
Related Articles
Technical Note: Asymmetrically routed packets are discarded with newer appliances
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.