FAC/FSSO Ip address conflict

Forum|Forum|2 months ago
March 27, 2026
2 replies
109 views

Hi,

I use the FortiClient Single Sign-On Mobility Agent and I am facing an issue: FAC registers all user IP addresses.
Let’s consider two users: one connected remotely through VPN and one connected from the corporate LAN. The home network IP address of the remote user overlaps with the IP address of the user in the corporate LAN. As a result, one of the users is removed from FortiGate/FAC with the following error:
Internally logoff and removing FortiClient item 11024-HR.xxx.xxx:192.168.12.26 [xxx.xxx/jshith] (all IPs conflicting).
I believe that during the initial FAC/EMS configuration I chose the option to register all IP addresses, but now I cannot find this setting. I am not sure whether I am simply overlooking it or whether it disappeared after an update.
How should this be handled?

Regards,

Lukasz

AEK

SuperUser

Hi Lukis

I don't know the solution for not to register all IP addresses, but the most clean way here is to avoid network overlap. For example I believe 192.168.x.x is good for home network but not really suitable for corporate network.

AEK

kgurbuz

Staff

Hi Lukasz,

There is a registry key that you can tell agent to send only the VPN tunnel IP if VPN is up.

address_category

DWORD

00000001
00000000

Only send VPN tunnel IP if VPN is up (interface IPs are NOT sent to FortiAuthenticator), 1=Enabled, 0=Disabled
Not available on standalone SSO Mobility Agent!

https://community.fortinet.com/t5/FortiAuthenticator/Technical-Guide-A-detailed-guide-to-FSSO-Mobility-Agent/ta-p/428712#install_fssoma

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded