Skip to main content
acrovi
Staff
acrovi
Staff
March 18, 2026

Technical Tip: Failover criteria between multiple servers configured as External Connectors (FSSO)

  • March 18, 2026
  • 0 replies
  • 290 views
Description This article describes the criteria used by FortiGates to switch the connection from one server to another configured on External connectors (config user fsso).
Scope FortiGate.
Solution

When configuring External Connectors on FortiGate (Fortinet Single Sign On agents), it is possible to configure up to 5 servers. Those servers will be active one at a time, and they cannot be active simultaneously.

 

Furthermore, there is no way to prefer a server over another configured: usually, the 'preferred' server is configured as the first in line, and this will be by default contacted first and, in cases where this is no longer available, FortiGate then tries to contact the next one configured and so on.


As long as the active server is online, no other CA server is polled/contacted.

 

Example configuration:

 

config user fsso

    edit "TEST"

        set server "10.10.10.1" <----- Main CA server.

        set password ENC XXXX

        set server2 "10.20.20.2" <----- Second CA server.

        set password2 ENC XXXXX
    next

 

It is possible to check the current FSSO server with the command 'diagnose debug authd fsso server-status':

 

diagnose debug authd fsso server-status

FGT_1 (vdom1) # 2025-10-31 01:59:26
Server Name Connection Status Version Address
----------- ----------------- ------- -------
2025-10-31 01:59:26 TEST connected FSSO 5.0.0325 10.10.10.1  <----- Main CA server is currently online.

 

Use the debug commands below to check that FortiGate polls the active server every 10 seconds to check connectivity:

 

diagnose debug enable
diagnose debug application authd -1
diagnose debug application fssod -1

  

FGT_1 (vdom1) #
2025-10-31 02:05:04 fsae_io_ctx_process_msg[TEST]: received heartbeat 196382 <----- First heartbeat.
2025-10-31 02:05:04 authd_epoll_work: timeout 8400

2025-10-31 02:05:14 authd_epoll_work: timeout 29970
2025-10-31 02:05:14 fsae_io_ctx_process_msg[TEST]: received heartbeat 196397 <--- Second heartbeat.

 

As soon as the connection to the active server is lost, FortiGate tries the next configured server in the list and, if the next server is also not available, it tries the next one in the list - and so on.

 

The failover to the next server configured happens soon after the first 'unreachability' message is received.

 

2025-10-31 02:05:45 authd_epoll_work: timeout 15790
2025-10-31 02:05:48 _event_error[TEST]: error occurred in epoll_in: Success
2025-10-31 02:05:48 disconnect_server_only[TEST]: disconnecting <----- Disconnection message.
2025-10-31 02:05:48 authd_timer_run: 1 expired
2025-10-31 02:05:48 authd_epoll_work: timeout 680
2025-10-31 02:05:48 authd_timer_run: 1 expired
2025-10-31 02:05:48 authd_epoll_work: timeout 10000
2025-10-31 02:05:48 authd_epoll_work: timeout 10000
2025-10-31 02:05:48 Server challenge: <----- Connection to second server.
2025-10-31 02:05:48 48 2025-10-31 02:05:48 01 2025-10-31 02:05:48 1b 2025-10-31 02:05:48 1e 2025-10-31 02:05:48 6a 2025-10-31 02:05:48 21 2025-10-31 02:05:48 19 2025-10-31 02:05:48 2a 2025-10-31 02:05:48 6d 2025-10-31 02:05:48 38 2025-10-31 02:05:48 bd 2025-10-31 02:05:48 33 2025-10-31 02:05:48 95 2025-10-31 02:05:48 30 2025-10-31 02:05:48 a0 2025-10-31 02:05:48 08 2025-10-31 02:05:48
2025-10-31 02:05:48 MD5 response:
2025-10-31 02:05:48 0c 2025-10-31 02:05:48 38 2025-10-31 02:05:48 4f 2025-10-31 02:05:48 69 2025-10-31 02:05:48 cc 2025-10-31 02:05:48 c6 2025-10-31 02:05:48 ca 2025-10-31 02:05:48 ee 2025-10-31 02:05:48 3a 2025-10-31 02:05:48 58 2025-10-31 02:05:48 cf 2025-10-31 02:05:48 54 2025-10-31 02:05:48 7f 2025-10-31 02:05:48 f5 2025-10-31 02:05:48 80 2025-10-31 02:05:48 1d 2025-10-31 02:05:48
2025-10-31 02:05:48 authd_epoll_work: timeout 9990
2025-10-31 02:05:48 connected_state[TEST]: entering CONNECTED state (vfid=1) <----- Server2 connected.

 

Then, check the current FSSO server again:

 

diagnose debug authd fsso server-status

FGT_1 (vdom1) #
Server Name Connection Status Version Address
----------- ----------------- ------- -------
TEST connected FSSO 5.0.0325 10.20.20.2 <----- IP of the second server.

 

In the current design, there is no automatic fallback to the main server in case it is online/working again.

Possible workarounds are to reboot FortiGate so it can try to contact the first in the list again, or stop the FSSO service process on the second server, or modify the server IP under 'config user fsso' using a dummy IP to force a failover.

 

Related documents:
Terms & ConditionsAccessibility statement