Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Nur
Staff
Staff

Created on ‎04-04-2024 09:56 AM

Article Id 308444

Troubleshooting Tip: How to troubleshoot connectivity between FortiAnalyzer and FortiADC

Description

This article describes how to troubleshoot connectivity between a FortiAnalyzer and FortiADC using an OFTP daemon process for connectivity, health check, file transfer, log display, etc.
Scope Fortianalyzer and FortiADC
Solution

After configuring the FortiAnalyzer from FortiADC, the FortiAnalyzer will receive a notification to authorize the FortiADC device. This article describes how to troubleshoot issues where a FortiAnalyzer did not receive the authorization notification and the status from FortiADC shows 'disconnected'.

 

Screenshot 2024-04-04 234729.png

 

Check the connectivity between both devices:

FortiADC:

diag sniffer packet any "host <FAZ_IP> and port 514" 4

 

exe telnet <FAZ_IP> 514

 

exe telnet 10.47.3.20 514

10.47.3.20
Connection closed by foreign host

 

exe traceroute <FAZ_IP> 

 

exe traceroute 10.47.3.20
traceroute to 10.47.3.20 (10.47.3.20), 30 hops max, 46 byte packets
1 10.47.31.254 (10.47.31.254) 0.211 ms 0.169 ms 0.093 ms
2 10.47.3.20 (10.47.3.20) 1.183 ms 0.468 ms 0.518 ms

 

exe ping <FAZ_IP>
exe ping 10.47.3.20
PING 10.47.3.20 (10.47.3.20): 56 data bytes
64 bytes from 10.47.3.20: icmp_seq=1 ttl=63 time=2.4 ms
64 bytes from 10.47.3.20: icmp_seq=2 ttl=63 time=0.7 ms
64 bytes from 10.47.3.20: icmp_seq=3 ttl=63 time=0.6 ms
64 bytes from 10.47.3.20: icmp_seq=4 ttl=63 time=0.6 ms
64 bytes from 10.47.3.20: icmp_seq=5 ttl=63 time=0.6 ms

--- 10.47.3.20 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.6/0.9/2.4 ms

 

FortiAnalyzer

 

diag sniffer packet any "host <FAZ_IP> and port 514" 4

 

exe ping <FortiADC_IP>

exe ping 10.47.17.245
PING 10.47.17.245 (10.47.17.245): 56 data bytes
64 bytes from 10.47.17.245: seq=0 ttl=63 time=0.737 ms
64 bytes from 10.47.17.245: seq=1 ttl=63 time=0.707 ms
64 bytes from 10.47.17.245: seq=2 ttl=63 time=0.725 ms
64 bytes from 10.47.17.245: seq=3 ttl=63 time=0.703 ms

--- 10.47.17.245 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.703/0.718/0.737 ms

 

execute traceroute <FortiADC_IP>

execute traceroute 10.47.17.245
traceroute to 10.47.17.245 (10.47.17.245), 32 hops max, 84 byte packets
1 10.47.15.254 0 ms 0 ms 0 ms
2 10.47.17.245 1 ms 0 ms 0 ms

 

If connectivity functions as expected, run a debug to further check the issue.

 

On FortiADC:

 

diag debug module miglogd oft_detail set
Unknown debug switch.
diag debug enable 

 

index 0,fd 13 event 1
recv a cmd to test faz rvid 1
vdom: root,==>Found server 10.47.3.20, refcnt: 1
vid is 0 ,vname root
xqueue size=0x8000
vdom: root, init oftp...
(__ssl_cert_ctx_add : 175) Added certfile /etc/ca2/FortiADC.crt, keyfile /etc/ca2/FortiADC.key
idx 0 (default) certnum:1 rootcaname:/etc/ca2/cacert.pem
(__ssl_cert_ctx_add : 175) Added certfile /etc/defaultcert/FortiADC.crt, keyfile /etc/defaultcert/FortiADC.key
idx 1 certnum:2 rootcaname:/etc/defaultcert/cacert.pem
(__ssl_set_hostname : 879) Set hostname 'fortinet-ca2.fortinet.com'
vdom root:trying connect 10.47.3.20...
index 0,fd 13 event 1
recv a cmd to check faz status,rvid 1
status_str:tcp_connecting
status_str_detail:N/A
vdom: root ,try connect[10.47.3.20]: fd=66, oftp.status=0x11

.........................

..........................

oftp_ssl_connect: vdom root,ssl done fd=66...
ID is FADV010000XXXXXX, size 20
Gen system info:
Version: FortiADC-KVM v7.2.4,build0249,240112 (GA)
Serial-Number: FADV010000XXXXXX

oftp_auth_send: vdom: root, auth send done fd=66...
oftp_auth_recv: vdom=root fd=66, buf_pos=0,buf_len=12
oftp_auth_recv: read again : errno=Resource temporarily unavailable
vdom: root,continue status 0x14, fd=66, want_events=5
vdom: root ,try connect[10.47.3.20]: fd=66, oftp.status=0x14
oftp_auth_recv: vdom=root fd=66, buf_pos=0,buf_len=12
oftp_auth_recv: read again : errno=Resource temporarily unavailable
...........................

................................
vdom: root,is_test, DO NOT try to connect[10.47.3.20]
index 0,fd 13 event 1
recv a cmd to check faz status,rvid 1
status_str:failed
status_str_detail:vdom root,login failed: -20

Here, the debug results show FortiADC is able to reach the FortiAnalyzer, but there is no return response from the FortiAnalyzer device.

 

From FortiAnalyzer:

 

diag debug app oftpd 8 x.x.x.x (Where x.x.x.x is the FGT IP that connects to FAZ. Alternatively, a device name can be used. IP is preferable.)
diag debug enable

 

diag debug app oftpd 8 10.47.17.245
oftpd debug filter: filter(string)==10.47.17.245

diag debug enable

[T3424:oftps.c:1831 :10.47.17.245] SSL clienthello incoming on sockfd[25]

[T3424:oftps.c:1240 :10.47.17.245] dft-idx=0 inited=1.

[T3424:oftps.c:1666 :10.47.17.245] SSL socket[25] pid[1580] ssl[0x561984d6db10] SSL_new() success.

[T3426:oftps.c:1557 :10.47.17.245] ssl verify peer cert

[T3426:oftps.c:1579 :10.47.17.245] Peer cert info, organizationName(o=Fortinet).

[T3426:oftps.c:1582 :10.47.17.245] Peer cert info, CommonName(CN=FortiADCVM).

[T3426:oftps.c:1843 :10.47.17.245] SSL_accept one client SUCCESS [ protocol : (772) TLS 1.3 ]

[T3426:oftps.c:1875 :10.47.17.245] SSL socket[25] pid[1580] ssl[0x561984d6db10] SSL_accepted

[T3422:oftps.c:1933 :10.47.17.245] SSL socket[25] pid[1580] ssl[0x561984d6db10] received [237] bytes:

[T3422:main.c:4174 :10.47.17.245] handle LOGIN_REQUEST_LEGACY

[T3426:login.c:3214 :10.47.17.245] host = 'Wira-kvm34'

[T3426:login.c:3243 :10.47.17.245] Version: FortiADC-KVM v7.2.4,build0249,240112 (GA)
Serial-Number: FADV010000XXXXXX


[T3426:login.c:335 :10.47.17.245] os_type(17) os_ver(7) mr(2) patch(4) build(249) beta(-1)

[T3426:login.c:3219 :10.47.17.245] vdom = 1

[T3426:oftps.c:1999 FADV010000XXXXXX:10.47.17.245] SSL socket[25] pid[1580] ssl[0x561984d6db10] sent [34] bytes:

[T3428:login.c:422 FADV010000XXXXXX:10.47.17.245] add unregistered device id:FADV010000XXXXXX, device:Wira-kvm34, ha_mode:0, ha_group_name:.

[T3428:login.c:2083 FADV010000XXXXXX:10.47.17.245] Warn Couldn't register DVM device due to can not register this device, error code -1002

[T3422:main.c:894 FADV010000XXXXXX:10.47.17.245] Client connection closed. Reason 0(OK)

[T3422:oftps.c:2018 FADV010000XXXXXX8:10.47.17.245] SSL pid[1580] ssl[0x561984d6db10] shuting down sockfd[25] ip[10.47.17.245] connected[1]

[T3422:oftps.c:2037 FADV010000XXXXXX:10.47.17.245] SSL_shutdown SUCCESS

[T3422:oftps.c:2045 FADV010000XXXXXX:10.47.17.245] SSL socket[25] pid[1580] ssl[0x561984d6db10] destroy_SSL_context

 

Here, for some reason, the FortiAnalyzer could not register the FortiADC device.

As a result, it will be necessary to manually add the FortiADC device serial number in FortiAnalyzer.

 

Screenshot 2024-04-05 001406.png

 

After the device has been added, the FWB will be seen in FortiAnalyzer.

 

Screenshot 2024-04-05 002022.png

 

Here, the status from FortiADC changed from 'disconnected' to 'connected':

 

Screenshot 2024-04-05 002147.png
91
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.