Troubleshooting Tip: FortiGate responding back 'disconnect-request' of Radius via WAN interface instead of Loopback
| Description | This article describes the scenario where FortiGate receives a 'disconnect-request' of RADIUS handshake and replies via the WAN interface instead of the expected loopback interface. The disconnect-request packet can be received from FortiNAC or any other NAC appliance. |
| Scope | FortiGate. |
| Solution | If the FortiNAC or NAC appliances are designed to communicate over the Loopback interface, they will send the 'disconnect-request' packet to the FortiGate to disconnect the endpoint. The reply is not received from FortiGate due to the following specific network scenario. In this scenario, the FortiGate might have multiple WAN links or SD-WAN, having dynamic IPs assigned from the ISP, and the Loopback interface is responsible for originating any general, management, or monitoring traffic.
In that case, if the source address has already been set in the Radius configuration and is still not getting selected as the correct interface, the workaround can be killing the radius-das via FortiGate CLI.
fnsysctl killall radius-das
Alternatively,
diagnose sys process pidof radius-das diagnose sys kill 11 <process_id>
Related article: |
