Helpful ReplyHot!Can't connect FGT to FAZ

Author
ichasovshik
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/21 09:51:03
  • Status: offline
2019/08/21 13:37:07 (permalink)
0

Can't connect FGT to FAZ

Hi Guys,
 
Can't connect FGT (ver:6.0.5) to FAZ (ver: 6.2.1 FortiAnalyzer), connectivity test fails;
 
FGT been added to FAZ devices;
exec log fortianalyzer test-connectivity
Failed to get FAZ's status. SSL error. (-3)
 
Capture shows that FAZ sending RST back to FGT:
 
66.345323 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: syn 1195392681
66.345952 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: syn 1231566839 ack 1195392682
66.346003 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: ack 1231566840
66.346728 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: psh 1195392682 ack 1231566840
66.346857 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: psh 1231566840 ack 1195392682
66.346885 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: ack 1231567207
66.346990 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: ack 1195392843
66.347044 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: psh 1195392843 ack 1231567207
66.347382 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: ack 1195392850
67.349171 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: rst 1231567207 ack 1195392850 << FAZ sending RST
 
Debug messages:
 
FortiGate-VM64 # diagnose debug enable
FortiGate-VM64 # diagnose debug application miglogd -1
Debug messages will be on for 30 minutes.
 
FortiGate-VM64 # <158> _rmt_connect()-1289: oftp_connect(global-faz) failed: ssl_connect() failed: 5.
<124> _rmt_connect()-1289: oftp_connect(global-faz) failed: ssl_connect() failed: 5.
<158> __handle_logs()-1236: 1212 bytes received
<158> send_report_log_buffer()-73: Fail to sent logs to reportd. err:111(Connection refused)
<124> __check_vdom_disk_usage()-2508: vfid:0 vd quota:100 total used:0
<158> __handle_logs()-1236: 2328 bytes received
<158> _rmt_connect()-1289: oftp_connect(global-faz) failed: ssl_connect() failed: 5.
<124> _rmt_connect()-1289: oftp_connect(global-faz) failed: ssl_connect() failed: 5.
 
Any idea? 
Thank you for your input and help!
#1
Frosty
Gold Member
  • Total Posts : 183
  • Scores: 11
  • Reward points: 0
  • Joined: 2010/11/03 15:53:40
  • Status: offline
Re: Can't connect FGT to FAZ 2019/08/21 22:29:48 (permalink)
0
Do you have Encryption enabled in the Fortigate where the connection to the FAZ is specified?  I had a similar issue after I upgraded our FAZ to v6.2 and that was the solution for my scenario:
 
https://forum.fortinet.com/tm.aspx?m=177233
#2
Andy Bailey
Bronze Member
  • Total Posts : 56
  • Scores: 4
  • Reward points: 0
  • Joined: 2016/06/27 11:21:22
  • Status: offline
Re: Can't connect FGT to FAZ 2019/08/22 02:22:49 (permalink)
0
Hi guys,
 
I have a ticket open for similar issues (ticket 3438751).
 
In my case connection is fine initially and logs are reported into FAZ. Then after a period of hours (12 or so) the logging stops and the the Fortigate shows as "disconnected" from the FAZ.
 
I also can't get the "connectivity test" to work and am seeing "unable to retrieve FortiAnalyzer serial number" messages from GUI too. I'm running 6.2.1 on the Fortigate.
 
So far support have acknowledged that the FAZ is sending resets and are investigating further. They have also created a similar ticket to investigate from the Fortigate perspective.
 
In my case I have encryption enabled so doesn't seem to be related to that.
 
If I get any interesting updates I'll add them to the thread.
 
Kind Regards,
 
 
Andy.
 
 
#3
ichasovshik
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/21 09:51:03
  • Status: offline
Re: Can't connect FGT to FAZ 2019/08/22 07:57:01 (permalink)
0
Thank yo Frosty!
 
Do you recall what was the command on FGT?
this is my current settings:
FortiGate-VM64 # get log fortianalyzer setting
status : enable
ips-archive : enable
server : 172.16.x.x
enc-algorithm : low
ssl-min-proto-version: default
conn-timeout : 10
monitor-keepalive-period: 5
monitor-failure-retry-period: 5
certificate :
source-ip :
upload-option : realtime
reliable : enable
 
How to make sure that Encryption is enabled?
 
Thank you!
#4
ichasovshik
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/21 09:51:03
  • Status: offline
Re: Can't connect FGT to FAZ 2019/08/22 08:44:17 (permalink)
0
Thank you so much Andy! appreciate your help!
#5
Frosty
Gold Member
  • Total Posts : 183
  • Scores: 11
  • Reward points: 0
  • Joined: 2010/11/03 15:53:40
  • Status: offline
Re: Can't connect FGT to FAZ 2019/08/22 15:17:55 (permalink)
0
In our FG200E config backup, the settings show as follows:
 
config log fortianalyzer setting
set status enable
set server "10.x.y.z"
set enc-algorithm high-medium
set upload-option 1-minute
set reliable enable
end
 
So the thing that I notice there is the encoding algorithm set to high-medium instead of low.
 
If that's not it, then I don't know what else to suggest, so maybe you'll need to let Fortigate Support figure it out.
#6
ichasovshik
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/21 09:51:03
  • Status: offline
Re: Can't connect FGT to FAZ 2019/08/22 15:41:53 (permalink)
0
Thank you Stephen!
in FGT Firmware v6.0.5 build0268 (GA) under:
 
"config log fortianalyzer setting" there is  only "low" option
 
FortiGate-VM64 (setting) # set enc-algorithm ?
low Encrypt logs using all encryption algorithms.
 
Still doesn't work
 
Thanks,
Igor
 
 
 
#7
genar
New Member
  • Total Posts : 2
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/01/08 01:37:50
  • Status: offline
Re: Can't connect FGT to FAZ 2019/08/26 00:44:22 (permalink) ☄ Helpfulby Joey 2019/10/14 17:04:34
5 (1)
hi guys,
i am having the same issue with my lab on VM workstation, with the same error message.
but now it is solved for me.
this is my config :
 
on Fortigate :
FortiGate-VM64-1 # config log fortianalyzer setting
FortiGate-VM64-1 (setting) # set status enable
FortiGate-VM64-1 (setting) # set server 172.16.10.250
FortiGate-VM64-1 (setting) # set reliable enable
FortiGate-VM64-1 (setting) # get
status : enable
ips-archive : enable
server : 172.16.10.250
certificate-verification: enable
serial :
access-config : enable
enc-algorithm : low
ssl-min-proto-version: default
conn-timeout : 10
monitor-keepalive-period: 5
monitor-failure-retry-period: 5
certificate :
source-ip :
upload-option : 5-minute
reliable : enable
 
on FAZ:
FAZVM64 # config system global
(global)# set enc-algorithm low
(global)# set ssl-low-encryption enable
(global)# set oftp-ssl-protocol tlsv1.0
(global)# end
enc-algorithm setting change will cause all existing FGFM tunnel/WebService connection reset.
Do you want to continue? (y/n)y
killall: fgfmsd: no process killed
killall: fgfmsd: no process killed
FAZVM64 #
 
i hope this work with you ,, ;)
Thank You
 
regards
Genar
#8
ichasovshik
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/21 09:51:03
  • Status: offline
Re: Can't connect FGT to FAZ 2019/08/26 17:08:03 (permalink)
0
////////////////////////////////////////////////////////////////////////////
 
Genar! Thank you so much! It works! 
 
Have to tell you, I spent some quality time trying to figure out!
 
Best regards,
Igor
 
////////////////////////////////////////////////////////////////////////////
#9
ShawnZA
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/02 23:31:22
  • Status: offline
Re: Can't connect FGT to FAZ 2019/09/09 08:41:03 (permalink)
0
Our Analyzer is on 6.2.1, upgrade was done a few weeks ago. All 6 FortiGates logs were logging fine after the upgrade and all encrypted.
 
Extended the Analyzer's disk this morning as we needed more space, then after reboot of Analyzer logging stopped from one Gate. Rest still logging fine, all Gates are on 6.05
 
Connectivity Test:
XXXXXXW01 (global) # exec log fortianalyzer test-connectivity
FortiAnalyzer Host Name: FortiAnalyzer
FortiAnalyzer Adom Name: root
FortiGate Device ID: FGTXXXXXXXXXX
Registration: registered
Connection: allow
Adom Disk Space (Used/Allocated): 1376642217450B/2684354560000B
Analytics Usage (Used/Allocated): 1051806966946B/1879048192000B
Analytics Usage (Data Policy Days Actual/Configured): 59/90 Days
Archive Usage (Used/Allocated): 324835250504B/805306368000B
Archive Usage (Data Policy Days Actual/Configured): 365/365 Days
Log: Tx & Rx (log not received)
IPS Packet Log: Tx & Rx
Content Archive: Tx & Rx
Quarantine: Tx & Rx
 
FG log settings:
enc-algorithm: high
ssl-min-proto-version: default
conn-timeout: 10
monitor-keepalive-period: 5
monitor-failure-retry-period: 5
certificate:
source-ip : 10.1.200.254
upload-option: realtime
reliable : enable
Ex(Setting) # show
config log fortianalyzer setting
 set status enable
 set server "10.1.210.2"
 set source-ip "10.1.200.254"
 set upload-option realtime
 set reliable enable

end
#10
Joey
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/10/14 16:57:49
  • Status: offline
Re: Can't connect FGT to FAZ 2019/10/14 17:04:19 (permalink)
0
genar
on Fortigate :
FortiGate-VM64-1 # config log fortianalyzer setting
FortiGate-VM64-1 (setting) # set reliable enable
 
on FAZ:
FAZVM64 # config system global
(global)# set enc-algorithm low
(global)# set ssl-low-encryption enable
(global)# set oftp-ssl-protocol tlsv1.0
 


Worked like a charm!
 
Thx
#11
Jump to:
© 2019 APG vNext Commercial Version 5.5