Skip to main content
jogyulas
jogyulas
New Member
July 12, 2024
Solved

forti resets tacacs+ TCP handshake after syn+ack

  • July 12, 2024
  • 1 reply
  • 2076 views

Hi,

I am facing a strange issue regarding Tacacs setup:

it works well without any problem with a specific server (which is a Cisco ISE PSN), and my login attemps seen in Cisco ISE Live logs.
but when I configure another PSN , I can login to the device, but my attempts is not seen in Cisco ISE Live logs. It's also strange, when I test it by 'diagnose test authserver tacacs+...' then my login test/attempt is seen in ISE Live logs.

I have captured traffic on this firewall to see what happens on packet level and found that when login attempt is not seen in Cisco ISE Live logs then firewall simply resets connection during TCP handshake right after syn+ack packet coming from PSN. So connection is not established at all.

Thanks,

Best answer by pminarik

Is this the only available authentication server?
If there's another one, then perhaps you're getting this quick RST because the FortiGate has already received a valid reply from the other authentication server.

1 reply

pminarik
Staff
pminarik
Staff
July 12, 2024

How long does it take, precisely, from the SYN to the RST?
This coudl be a timeout issue, you may want to try tweaking these valuses:  

config system global

set remoteauthtimeout x (default is 5, in seconds)

set ldapconntimeout x (default is 500, in milliseconds; don't let the name fool you, it should be relevant :) )

end

    jogyulas
    jogyulasAuthor
    New Member
    July 12, 2024

    thank you for your prompt help.

    actually I also thought that it could be a latency problem even if the gap between syn and syn+ack packets is not more than 500 milliseconds.

     

    I set remoteauthtimeout to 10 and ldapconntimeout to 5000 but I am still experiencing this issue :\

     

    739.989542 wan2 out x.x.x.x.11422 -> y.y.y.y.49: syn 3499347805
    740.133811 wan2 in y.y.y.y.49 -> x.x.x.x.11422: syn 1233737855 ack 3499347806
    740.133897 wan2 out x.x.x.x.11422 -> y.y.y.y.49: rst 3499347806

    pminarik
    Staff
    pminarikAnswer
    Staff
    July 16, 2024

    Is this the only available authentication server?
    If there's another one, then perhaps you're getting this quick RST because the FortiGate has already received a valid reply from the other authentication server.

    Terms & ConditionsAccessibility statement