Technical Tip: EAP proxy times out after 5 seconds on dial-up IKEv2 tunnel when using remote authentication server
| Description | This article describes an expected 5-second timeout when users attempt to connect to a dial-up IPsec IKEv2 tunnel. This will generally affect deployments where third-party multi-factor authentication is configured on the remote authentication server. |
| Scope | FortiOS. |
| Solution | If a remote LDAP or RADIUS server takes longer than 5 seconds to respond to an authentication request from FortiGate for an IKEv2 dial-up user, the authentication attempt will fail with the following message visible in ike debugs:
diagnose debug reset diagnose vpn ike log-filter rem-addr4 x.x.x.x -------> Public IP of the endpoint. diagnose debug application ike -1 diagnose debug enable ike V=root:0:RA VPN 1:206 EAP 1073926684695 result FNBAM_TIMEOUT
To stop the debug, run the following commands:
diagnose debug disable diagnose debug reset
Workaround for RADIUS servers:
Configure a longer remoteauthtimeout and longer timeout in 'config user radius'.
config user radius edit <server name> set timeout <seconds> next end
There is currently no workaround for LDAP servers; see this article: Technical Tip: Multi-Factor Authentication support for Windows FortiClient with LDAP (EAP-TTLS).
Upcoming enhancement: This issue is scheduled for enhancement in the upcoming firmware versions FortiOS v7.4.12 and FortiOS v7.6.7. With the change, the connection timeout between fnbamd and eap_proxy will be increased to three times the globally configured remoteauthtimeout value, allowing more time for remote authentication servers to respond.
In FortiOS v7.4.12 or v7.6.7, customize the remoteauthtimeout to allow 30 seconds for MFA:
Single-VDOM mode: config system global set remoteauthtimeout 30 end
Multi-VDOM mode:
config global config system global set remoteauthtimeout 30 end end
Notes:
Related article: Technical Tip: Explaining global 'set remoteauthtimeout', user radius 'set timeout' |