Troubleshooting Tip: Users randomly fail to connect to SSLVPN with MFA using RADIUS authentication

Description
Users randomly fail to connect to SSLVPN with 2FA/MFA using RADIUS authentication service.

'Login failed' is visible in the event logs with messages similar to 'sslvpn_login_unknown_user'or 'Timeout for connection …' while performing debug on FortiGate with these commands:

diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application sslvpn -1
diagnose debug application fnbamd -1
diagnose debug enable

This issue occurs in cases of an increased amount of authentication requests from the SSL VPN service towards RADIUS authentication server, which can cause a delay in response from the RADIUS server.

This article describes how to avoid this issue.

Scope

FortiGate.

Solution

Default value of authentication timeouts is set to 5 seconds on most of the FortiGates.

Authentication timeouts can be increased to allow FortiGate to wait a longer for RADIUS server to reply on authentication requests.

Modify settings with the following commands:

config system global
    set remoteauthtimeout 30
end

config user radius
    edit <RADIUS Server>
        set timeout 30
end

The best timeout setting for the environment is visible in the debug with timestamps: see how long the RADIUS server is taking to send a response for the query.

Related documents:

System global - FortiGate 6.2.1 CLI reference
User RADIUS - FortiGate 6.2.1 CLI reference
SSL VPN with RADIUS and FortiToken - FortiGate 6.0.0 cookbook
Configuring FortiClient VPN with Multi-factor authentication - FortiGate Azure Cookbook

Technical Tip: Explanation of auth-timeout types for Firewall authentication users