Technical Tip: FSSO disconnection and user monitor timer behavior
| Description | This article describes the user login monitor timer in case of FSSO disconnection. |
| Scope | FortiGate. |
| Solution | When users log in to the domain, the FortiGate initiates a user login timer. This timer can be viewed using the following command:
diagnose firewall auth list
In the event of an intermittent FSSO disconnection, FortiGate removes user authentication entries based on the configured user cache (logon) timeout. This timeout determines how long a user entry is retained when FSSO connectivity is lost. The user cache timer can be configured using the following command:
config user fsso edit <server name> set logon-timeout <in minutes> <-- 1 - 2880, default = 5. end
A scenario where user logins appear as 'logged in a few minutes ago', even though the user logged in much earlier, occurs because the login timers are refreshed after FSSO connectivity is restored.
If the logon-timeout is configured appropriately, FortiGate does not remove user entries until the timer expires. When the FSSO connection is re-established, FortiGate refreshes the timers rather than creating new entries. As a result, the login time may appear recent, even though the user session has been active for a longer period. |
