Skip to main content
SFW
SFW
Visitor III
July 17, 2025
Solved

Active Directory Connector cannot connect but the LDAP is connected is successfully

  • July 17, 2025
  • 5 replies
  • 1705 views

FortiGate-81F # diagnose debug fsso-polling detail
AD Server Status(err: server can not be accessible):
ID=1, name(172.18.0.1),ip=172.18.0.1, port=0, source(security), users(IPv4:0, IPv6:0),
username=swd\lcloperator2
read log eof=0, latest logon timestamp: Thu Jan 1 03:00:00 1970

polling frequency: every 10 second(s), success(0), fail(106)
LDAP status: init

LDAP query: success(0), fail(0)
LDAP max group query period(seconds): 0


this is branch location firewall the AD is in DC location 
also i checked the Fortinet documents but still i didn't find any solution 
can you please help me on this 

Note: Agentless polling mode

Best answer by sjoshi

Hi,

 

Please refer below article and follow the tshoot steps:-

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-FSSO-agentless-polling/ta-p/214349

 

You may share the sniff.

Check communication between FortiGate and the DC on TCP port 445.

 

diagnose sniffer packet any "host <DC IP> and port 445" 4 0 a

 

Also how branch FGT is communicating with the DC FGT via IPSEC TNL? 

5 replies

AEK
SuperUser
AEK
SuperUser
July 17, 2025

Your FGT seems not able to connect to your DC.

Go to menu User & Device > LDAP Server, then edit the related LDAP server config.

You will probably find "Connection status: Can't contact LDAP server".

You will need to fix this before doing FSSO.

AEK
SFW
SFWAuthor
Visitor III
July 20, 2025
 

Screenshot 2025-07-20 101648.png

 

its showing Connection is Success but the external is not connected 

 

sjoshi
Staff
sjoshiAnswer
Staff
July 20, 2025

Hi,

 

Please refer below article and follow the tshoot steps:-

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-FSSO-agentless-polling/ta-p/214349

 

You may share the sniff.

Check communication between FortiGate and the DC on TCP port 445.

 

diagnose sniffer packet any "host <DC IP> and port 445" 4 0 a

 

Also how branch FGT is communicating with the DC FGT via IPSEC TNL? 

Thanks, Salon
    SFW
    SFWAuthor
    Visitor III
    July 21, 2025

    Note:-Yes its via IPSEC TNL its Dailup VPN we created 

     

     

    RBH-FGT1 # diagnose sniffer packet any "host 172.18.0.1 and port 445" 4
    interfaces=[any]
    filters=[host 172.18.0.1 and port 445]
    6.889776 RABIK_TO_HUB1 out 192.168.2.83.10040 -> 172.18.0.1.445: syn 2697289446
    7.887064 RABIK_TO_HUB1 out 192.168.2.83.10040 -> 172.18.0.1.445: syn 2697289446
    9.887067 RABIK_TO_HUB1 out 192.168.2.83.10040 -> 172.18.0.1.445: syn 2697289446
    ^C
    3 packets received by filter
    0 packets dropped by kernel


    sjoshi
    Staff
    sjoshi
    Staff
    July 21, 2025

    from the pcap shown here the traffic is leaving the branch FGT but there is no response back.you can take same sniff on the HUB FGT and see if it is receiving the traffic and replying back 

    Verify firewall policy on hub side

    Thanks, Salon
    AEK
    SuperUser
    AEK
    SuperUser
    July 21, 2025

    Which FortiOS version?

    AEK
    SFW
    SFWAuthor
    Visitor III
    July 21, 2025

    7.4.7

    AEK
    SuperUser
    AEK
    SuperUser
    July 21, 2025

    I see you are are using IP in the LDAP server config.

    Can you try use hostname with certificate instead?

    AEK
    AEK
    SuperUser
    AEK
    SuperUser
    July 21, 2025

    Do you confirm in LDAP server config the "Test User Credentials" works successfully ?

    AEK
    SFW
    SFWAuthor
    Visitor III
    July 21, 2025

    Screenshot 2025-07-21 162207.png

    Tested Successfully

    AEK
    SuperUser
    AEK
    SuperUser
    July 21, 2025

    Can you check if 172.18.0.1 allows FGT to connect to port 445 TCP?

    You can try a telnet test from FGT to DC:445. 

    AEK
    Terms & ConditionsAccessibility statement