Description
Scope
FortiNAC 8.x, 9.x.
Solution
Troubleshooting steps:
1) Review the affected VPN client’s entry in the database (ProbeObject) to determine what information is missing. Login to the appliance CLI as root and enter RemoteAccess -remoteIP <client VPN IP>.
For example:
# RemoteAccess –remoteIP 172.16.196.10
If no results are returned, the proper syslog information was either not received or not processed. See KB article 224589 for troubleshooting steps.
2) If results are returned, ensure User Name and MAC address values are populated.
3) Proceed as appropriate:
User Name is missing: The proper syslog information was either not received or not processed. See KB article 224589 for troubleshooting steps.
MAC Address is missing: Agent information is either not received or not processed. See KB article 244783 for troubleshooting steps.
Record looks correct but client is not getting proper network access:
a) Verify the correct Network Access policy matches. Right click on the host in the host view and select Policy Details. If policy does not match under the Network Access tab or is blank, see KB article 197123.
b) If the correct policy matches, verify client's VPN IP is being removed from the NAC Network Object group in the ASA. In the appliance CLI, enter:
# nacdebug –name TelnetServer true
tail -F /bsc/logs/output.master
c) Have the client connect.
d) Press Ctrl-C to stop the tail.
e) Disable debug:
# nacdebug –name TelnetServer false
Contact Support for further assistance. Open a support ticket and provide the following:
- Software version (x.x.x.x).
- Cisco ASA version.
- Detailed description of behavior.
- Troubleshooting steps taken.
- IP address and username of test client.
- Timeframe behavior was reproduced.
- System logs (For instructions see KB article 190755).
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.