Helpful ReplyHot!Cannot add devices

Author
onurd0gan
New Member
  • Total Posts : 9
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/11/29 11:42:34
  • Status: offline
2019/04/29 05:54:59 (permalink)
0

Cannot add devices

Hello,
I have fortigate and fortimanager vm trial version 6.0.2. I could not add FortiGate to Fortimanager.
There is no connectivity problem between fortigate and fortimanager, but I get "Probe Failed" error. FMG protocol is enabled on related interface. I checked task monitor logs on FortiManager, I saw "Cannot communicate with remote device (tunnel is down)" and in the description "2019-04-29 15:14:24:fgfmstarterror".
 
what might be the problem?
 
thank you,
#1
brazz_FTNT
Silver Member
  • Total Posts : 88
  • Scores: 22
  • Reward points: 0
  • Joined: 2018/02/20 15:09:34
  • Status: offline
Re: Cannot add devices 2019/04/29 08:17:59 (permalink)
0
Hey, 
 
Is there any Full inspection happening between FGT and FMG ? What is the network topology?
Thanks
 
#2
onurd0gan
New Member
  • Total Posts : 9
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/11/29 11:42:34
  • Status: offline
Re: Cannot add devices 2019/04/30 06:06:19 (permalink)
0
Hey,
 
It is in my vm lab environment(Vmvare fusion).
There is no another device between them. 
 
thanks
#3
brazz_FTNT
Silver Member
  • Total Posts : 88
  • Scores: 22
  • Reward points: 0
  • Joined: 2018/02/20 15:09:34
  • Status: offline
Re: Cannot add devices 2019/04/30 08:33:29 (permalink)
0
Thanks for the reply. 
 
Can you check the (on the FGT)
config system central-management  
get 


and 
 
Can you check (on the FMG)
config system global
get
 
I am actually looking for level of encryption on both of these. 
 
Cheers
 
#4
onurd0gan
New Member
  • Total Posts : 9
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/11/29 11:42:34
  • Status: offline
Re: Cannot add devices 2019/04/30 08:53:13 (permalink)
0
Hello,
I added the output, thank you
FMG-VM64 # config system gl
 
(global)# get
admin-lockout-duration: 60
admin-lockout-threshold: 3
adom-mode           : normal 
adom-rev-auto-delete: by-revisions 
adom-rev-max-backup-revisions: 5
adom-rev-max-revisions: 120
adom-select         : enable 
adom-status         : enable 
clt-cert-req        : disable 
console-output      : standard 
country-flag        : enable 
create-revision     : disable 
daylightsavetime    : enable 
default-disk-quota  : 1000
detect-unregistered-log-device: enable 
device-view-mode    : regular 
dh-params           : 2048 
disable-module      : 
enc-algorithm       : high 
faz-status          : disable 
fgfm-local-cert     : (null)
fgfm-ssl-protocol   : tlsv1.2 
ha-member-auto-grouping: enable 
hitcount_concurrent : 100
hitcount_interval   : 300
hostname            : FMG-VM64 
import-ignore-addr-cmt: disable 
language            : english 
latitude            : (null)
ldap-cache-timeout  : 86400
ldapconntimeout     : 60000
log-checksum        : none 
log-forward-cache-size: 0
longitude           : (null)
max-running-reports : 1
oftp-ssl-protocol   : tlsv1.2 
partial-install     : disable 
perform-improve-by-ha: disable 
policy-hit-count    : disable 
policy-object-in-dual-pane: disable 
pre-login-banner    : disable 
remoteauthtimeout   : 10
search-all-adoms    : disable 
ssl-low-encryption  : disable 
ssl-protocol        : tlsv1.2 
ssl-static-key-ciphers: enable 
task-list-size      : 2000
timezone            : (GMT+3:00) Istanbul.
tunnel-mtu          : 1500
usg                 : enable 
vdom-mirror         : disable 
webservice-proto    : tlsv1.2 
workspace-mode      : disabled 
 
FortiGate-VM64 # config system central-management 
 
FortiGate-VM64 (central-management) # get
mode                : normal 
type                : fortimanager 
schedule-config-restore: enable 
schedule-script-restore: enable 
allow-push-configuration: enable 
allow-push-firmware : enable 
allow-remote-firmware-upgrade: enable 
allow-monitor       : enable 
serial-number       : 
fmg                 : "10.10.231.221"
fmg-source-ip       : 0.0.0.0
fmg-source-ip6      : ::
vdom                : root 
server-list:
include-default-servers: enable 
enc-algorithm       : low 
#5
brazz_FTNT
Silver Member
  • Total Posts : 88
  • Scores: 22
  • Reward points: 0
  • Joined: 2018/02/20 15:09:34
  • Status: offline
Re: Cannot add devices 2019/04/30 08:58:19 (permalink)
0
Thanks 
 
Can you set (On the FGT)
enc-algorithm to default and try doing the connection one more time.
 
Thanks
 
#6
onurd0gan
New Member
  • Total Posts : 9
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/11/29 11:42:34
  • Status: offline
Re: Cannot add devices 2019/04/30 09:06:24 (permalink)
0
Hello,
 
I tried, but probe failed again.
 

7.712600 port1 in 10.10.231.221.42888 -> 10.10.231.110.541: rst 3489118224 ack 2398539591
18.925384 port1 out 10.10.231.110.2680 -> 10.10.231.221.541: syn 387565312 
18.925550 port1 in 10.10.231.221.541 -> 10.10.231.110.2680: syn 1708240234 ack 387565313 
18.925577 port1 out 10.10.231.110.2680 -> 10.10.231.221.541: ack 1708240235 
18.925845 port1 out 10.10.231.110.2680 -> 10.10.231.221.541: psh 387565313 ack 1708240235 
18.925897 port1 in 10.10.231.221.541 -> 10.10.231.110.2680: ack 387565416 
19.926431 port1 in 10.10.231.221.541 -> 10.10.231.110.2680: rst 1708240235 ack 387565416 
 
231.221 is manager. Why rst packets are sent?
#7
brazz_FTNT
Silver Member
  • Total Posts : 88
  • Scores: 22
  • Reward points: 0
  • Joined: 2018/02/20 15:09:34
  • Status: offline
Re: Cannot add devices 2019/04/30 09:13:36 (permalink)
0
On the FMG side 
Lets try setting the 
fgfm-ssl-protocol to sslv3 just to test the connection. 
 
Thanks
 
#8
onurd0gan
New Member
  • Total Posts : 9
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/11/29 11:42:34
  • Status: offline
Re: Cannot add devices 2019/04/30 09:25:04 (permalink) ☄ Helpfulby ichasovshik 2019/08/21 09:54:46
5 (1)
Hello,
 
Thank you for your support, I solved the problem by setting enc-algorithm to low on FMG.
 
thanks
 
 
 
#9
makco10
Silver Member
  • Total Posts : 91
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/01/20 15:21:33
  • Location: Honduras
  • Status: offline
Re: Cannot add devices 2019/09/02 15:11:12 (permalink)
0
Thanks!
 
This config solved my issue:
FortiManager:

Fortigate:

 
Regards.

Defend Your Enterprise Network With Fortigate Next Generation Firewall

#10
hirvimies
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/11 00:26:31
  • Status: online
Re: Cannot add devices 2019/09/11 00:36:11 (permalink)
0
When I tried out FortiManager and FortiGates as VMs in a Virtual Environment, I also had problem getting it to work. I managed to work around it but I couldn't get full functionality (IPSEC VPN) since the FG-VM was lacking strong encryption. Using physical FortiGates was the best solution but I think you can license the VM to get stronger encryption?
 
I had to configure the following on the FortiManager CLI:
 
config system global
  set enc-algorithm low
 
I see that your enc-algorithm is set on high under system global so this might help you.
#11
Jump to:
© 2019 APG vNext Commercial Version 5.5