FSSO Authentication Errors

Forum|Forum|14 years ago
January 24, 2012
3 replies
8971 views

We are running three DC' s. All DC' s have the agent being pushed down to them from our FSAE server. We have been having trouble with FSSO logins working since the Fortigate appliance has been installed over a month ago. We are on firmware version v4.0,build0482,110920 (MR3 Patch 2). On the collector agent, we are seeing an error message of

01/24/2012 08:21:08 [ 736] FortiGate disconnected 01/24/2012 08:21:12 [ 756] FortiGate:FGT1KB3N11600085 connected. 01/24/2012 08:21:27 [ 1388] Connection to FGT closed. return code:-1 last error:10054 01/24/2012 08:21:28 [ 1388] FortiGate disconnected 01/24/2012 08:21:34 [ 800] FortiGate:FGT1KB3N11600085 connected. 01/24/2012 08:21:47 [ 756] Connection to FGT closed. return code:-1 last error:10054 01/24/2012 08:21:48 [ 756] FortiGate disconnected 01/24/2012 08:22:06 [ 1276] FortiGate:FGT1KB3N11600085 connected."

This message has been constant over the past day. I have made sure the times are in sync on the FSAE server and DC' s. I have verified that the collector agent is actively running on the FSAE server and it is communicating with all three domain controllers. I am just looking for any suggestions that could possibly lead us to the solution, or at least get us on track to find the right solution. I greatly appreciate any help with anything. Thanks so much in advance!!!! :-) Also, we have been getting time-outs under the " Event Log" under our VDOM with FSSO. It seems like authentication is timing out very fast.

1 2012-01-24 08:37:17 notice (10.11.0.254) authentication User from 10.11.0.254 was timed out 2 2012-01-24 08:37:12 notice (10.11.0.254) FSSO-auth AD group user failed in authentication 3 2012-01-24 08:37:05 notice (10.11.0.254) authentication User from 10.11.0.254 was timed out 4 2012-01-24 08:37:00 notice (10.11.0.254) FSSO-auth AD group user failed in authentication 5 2012-01-24 08:36:58 notice (10.11.0.254) authentication User from 10.11.0.254 was timed out 6 2012-01-24 08:36:53 notice (10.11.0.254) FSSO-auth AD group user failed in authentication 7 2012-01-24 08:36:50 notice (10.11.0.254) authentication User from 10.11.0.254 was timed out 8 2012-01-24 08:36:45 notice (10.11.0.254) FSSO-auth AD group user failed in authentication 9 2012-01-24 08:36:38 notice (10.11.0.254) authentication User from 10.11.0.254 was timed out 10 2012-01-24 08:36:33 notice (10.11.0.254) FSSO-auth AD group user failed in authentication 11 2012-01-24 08:36:31 notice (10.11.0.254) authentication User from 10.11.0.254 was timed out

Shown above is just one user, but we have thousands, so this is a small piece to the big picture. :D Thanks!! :)

denache

New Member

Check step 2.1 from Technical Note: FSAE Troubleshooting Guide http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD31819

dlovellitAuthor

New Member

Thank you sooo much!! It turned out to be an issue with routing. Since there are two ports for internet traffic and one management, the internet inbound in to fortigate and the management port were in the same VLAN. This made it route traffic to both of the interfaces instead of just management traffic on the management port, and internet traffic on the internet ports. So to fix it, I just put the management port in to a different VLAN. Now, it seems like everything is being routed appropriately, but the FSAE collector agent and the fortigate appliance will not stay connected. :( lol

dlovellitAuthor

New Member

Okay, I figured that part out. We do not have our Internet traffic ports plugged in since they are causing so many issues. I am a little confused though. Whenever you have an IP address assigned to a management interface in the management VDOM, how would the Internet VDOM receive and send the FSSO information since it does not have any layer 3 addressing to communicate with the FSAE collector agent? Do the two different VDOM' s communicate somehow?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded