FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff
Article Id 192115

Description

 

This article explains the causes behind an issue where inconsistent agent communication occurs due to an appliance domain existing in the allowed domains list.

 

Scope

 

All supported versions of FortiNAC.

 

Solution

 

If a domain entry in the Allowed Domains List matches that of the appliance FQDN, asymmetric routing may occur. The agent may successfully communicate with the appliance from the production network, but not from the restricted network.

Example scenario:
FQDN of FortiNAC server: fortinac-app.fortinet.com
Allowed domain: fortinet.com


Workflow:
1) The Agent in restricted VLAN sends DNS query for the appliance name.
2) Since the domain is in the Allowed Domains List, the request is forwarded to the production DNS server.  
3) The name is resolved to the eth0 IP Address.  
4) The Agent attempts communication using the eth0 IP address.

5) Typically, the appliance has static route configurations for eth1 configured. In these scenarios, traffic destined for the restricted network is returned out from eth1. Any traffic from the restricted network received on eth0 is dropped. For more information regarding this expected behavior, see the related KB article below.

 

Sometimes the Persistent Agent logs shows successful communication, but FortiNAC shows the host status marked at Risk while PA shows the thunder strike:


PA communication status.png

 

Upon trying to scan or send messages to the host, the following error appears:


Error scanning host 'DESKTOP' Failed to find live (online+communicating) adapter in HostRecord. HRDBID:7580. Try Again In 10 Minutes. Wed Dec 22 12:29:20 GST 2022
or:
Error sending message host 'DESKTOP' Failed to find live (online+communicating) adapter in HostRecord. HRDBID:7580. Try Again In 10 Minutes. Wed Dec 22 12:29:41 GST 2022


To fix this, delete the domain from the Allowed Domains list. For instructions, see Allowed domains in the Administration Guide.

Related Articles

Technical Note: Asymmetrically routed packets are discarded with newer appliances