Troubleshooting Tip: FSSO TS Agent reports logins with localhost IP like 127.0.0.1 or APIPA IP like 169.254.x.y

Description

This article explains under what circumstances TS Agent may report user logins with an incorrect source IP address, and possible solutions for this issue.

Scope

FSSO TS Agent version 5.0.0323 and higher.

Solution

FSSO TS Agent version 5.0.0323 introduces a change in how the TS Agent detects its host's IP address, and possible changes to it.

During TS Agent startup, this can lead to a race condition between the terminal server hosting the TS Agent receiving an IP address via DHCP, and the TS Agent checking for its host's IP address.

If there is a delay in the terminal server receiving an IP via DHCP, this leads to the TS Agent identifying its host's IP address as the localhost IP address (127.0.0.1) or an IP address in the APIPA range (169.254.x.x).

The TS Agent then sends login information to Collector Agent/FortiAuthenticator linking the user sessions to this source IP, rather than the terminal server's actual IP address.

A new registry key has been introduced to allow TS Agent to check for IP changes more reliably. The key is not created by default and must be added manually in the registry under 'HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Fortinet\FSAE\TSAgent'. The key must be of type 'DWORD', named 'AddressChangeDetect', and set to value 1. After the key is added, the TS Agent service must be restarted for it to take effect.

Registry location