Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Akmostafa
New Contributor III

Created on ‎04-30-2024 06:01 AM

FortiNAC not responding to PA connections

Hi Team,

 

I have installed persistence agent on a client computer, and edited the windows registry to specify the server IP 10.0.200.247 (port1 interface of FortiNAC)

Noted from capturing packets along the path, that the agent tries to imitate the tcp connection to 10.0.200.247 but no reply is coming back to any syn packet.
attached also the TCP dump from the FortiNAC (attached testfile.pcap) showing syn packets from 172.16.14.27 to 10.0.200.247 but no syn-ack seen, also trying to telnet port 4568 fails from the client machine.

The default route on FortNAC on port 1 is 10.0.200.1 (Fortigate) and from the same client machine I can access FortiNAC on its port1 ip for management on port 8443 and SSH . (but not port 4568)

 

Tried to restart the service many times on both the client machine and the FortiNAC.

 

Note, it is layer 3 deployement and the host is not in an isolation network.

Also note that it is not an SSL or certificate related issue, because the TCP connection is failing to be established, I am not reaching the TLS negotiation phase.

Labels:
457
0 Kudos
1 Solution
ebilcari
Staff
Staff
In response to Akmostafa

Created on ‎05-01-2024 01:16 AM

Since you are running the new FNAC-F a common mistake is forgetting to allow the service on port configuration:
config system interface
  edit port1
   set allowaccess dhcp dns http-adminui https-adminui nac-agent ping radius-local snmp ssh syslog

 

The added confusion happens because the packet capture in FNAC is still able to receive the packets but without this command the service will not listen on that interface. Some common recommendations can be also found in this article.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

271
7 REPLIES 7
AEK
SuperUser
SuperUser

Created on ‎04-30-2024 06:24 AM

Hi Mostafa

Have you installed a certificate (trusted by clients) on FNAC for agent communication?

If not then there will be no communication between them.

AEK
AEK
445
Akmostafa
New Contributor III
In response to AEK

Created on ‎04-30-2024 06:40 AM

HI AEK, I agree, and already done this step.

Again please note that the TCP 3-way hand shake is not successful.

 

If it is a certificate issue, I would see in packet capture that TCP connection is done and then a failure in TLS negotiation, but this is not the case in my situation.

 

Anyways, I have done this step, and imported the CA that signed the PA certificate to be trusted in the client machine.

434
0 Kudos
AEK
SuperUser
SuperUser
In response to Akmostafa

Created on ‎04-30-2024 07:09 AM

Is the port listening?

Try with telnet from your FortiGate then from the client as well.

AEK
AEK
419
AEK
SuperUser
SuperUser
In response to AEK

Created on ‎04-30-2024 08:33 AM Edited on ‎04-30-2024 08:34 AM

I missed that you already tried telnet from client and it didn't work.

So can you try telnet from FortiGate?

Also try the following from FortiNAC CLI with root user:

  • netstat -an | grep 4568
  • telnet <FNAC-main-IP> 4568
  • tcpdump port 4568  (while trying telnet from FG and from client)
AEK
AEK
399
Akmostafa
New Contributor III
In response to AEK

Created on ‎04-30-2024 12:37 PM

Telneting from Fortigate:


FortiGate-HQ (root) # execute telnet 10.0.200.247 4568
Trying 10.0.200.247...

 

From FortiNAC:

ortinac # execute enter-shell
fortinac:~$ netstat -an | grep 4568
tcp6 0 0 :::4568 :::* LISTEN
fortinac:~$ telnet 10.0.200.247 4568
Connected to 10.0.200.247

 

screenshot from the pcap file as taken from TCP dump from FNAC itself:

Capture.PNG

374
0 Kudos
AEK
SuperUser
SuperUser
In response to Akmostafa

Created on ‎04-30-2024 12:59 PM

FortiGate on the same subnet can't telnet to FNAC:4568, and FortiNAC can telnet to itself on the same port. Is it possible that FortiNAC-F has an internal firewall?

systemctl status firewalld
firewall-cmd --list-all

 Otherwise I don't have other ideas.

AEK
AEK
367
ebilcari
Staff
Staff
In response to Akmostafa

Created on ‎05-01-2024 01:16 AM

Since you are running the new FNAC-F a common mistake is forgetting to allow the service on port configuration:
config system interface
  edit port1
   set allowaccess dhcp dns http-adminui https-adminui nac-agent ping radius-local snmp ssh syslog

 

The added confusion happens because the packet capture in FNAC is still able to receive the packets but without this command the service will not listen on that interface. Some common recommendations can be also found in this article.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
272
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.