Troubleshooting Tip: FortiAuthProxy user intermittent authentication failed

simonz_FTNT · ‎01-10-2025

Description

This article describes how to troubleshoot intermittent users unable to authenticate via FortiAuthProxy. Since the issue is intermittent, means that the configuration is correct but another factor that causing the issue.

Scope

FortiAuthProxy.

Solution

First, look at the log store in /var/log/ftnt/ with the filename fortiauthproxy.log using the below command:

tail -f /var/log/ftnt/fortiauthproxy.log

Check whether there is any of the following error messages:

2024-12-19 16:36:48-0800 [fldap_proxy,487,10.160.78.46] Request.dn = b'CN=Test User1,OU=TST,DC=test,DC=com'
2024-12-19 16:36:48-0800 [fldap_proxy,487,10.160.78.46] username = Test User1
2024-12-19 16:36:48-0800 [fldap_proxy,487,10.160.78.46] == handleBeforeForwardRequest ==> LDAPBindRequest(version=3, dn=b'CN=Test User1,OU=TST,DC=test,DC=com', auth=****, sasl=False)
2024-12-19 16:36:48-0800 [-] Unhandled error in Deferred:
2024-12-19 16:36:48-0800 [-] Unhandled Error
        Traceback (most recent call last):
          File "/usr/lib/python3/dist-packages/twisted/internet/defer.py", line 857, in _runCallbacks
            current.result = callback( # type: ignore[misc]
          File "/usr/local/lib/python3.10/dist-packages/ldaptor/protocols/ldap/proxybase.py", line 145, in _forwardRequestToProxiedServer
            d.addCallback(forwardit, reply)
          File "/usr/lib/python3/dist-packages/twisted/internet/defer.py", line 497, in addCallback
            return self.addCallbacks(callback, callbackArgs=args, callbackKeywords=kwargs)
          File "/usr/lib/python3/dist-packages/twisted/internet/defer.py", line 477, in addCallbacks
            self._runCallbacks()
        --- <exception caught here> ---
          File "/usr/lib/python3/dist-packages/twisted/internet/defer.py", line 857, in _runCallbacks
            current.result = callback( # type: ignore[misc]
          File "/usr/local/lib/python3.10/dist-packages/ldaptor/protocols/ldap/proxybase.py", line 130, in forwardit
            d2 = self.client.send_multiResponse(
          File "/usr/local/lib/python3.10/dist-packages/ldaptor/protocols/ldap/ldapclient.py", line 128, in send_multiResponse
            msg = self._send(op)
          File "/usr/local/lib/python3.10/dist-packages/ldaptor/protocols/ldap/ldapclient.py", line 81, in _send
            raise LDAPClientConnectionLostException()
        ldaptor.protocols.ldap.ldapclient.LDAPClientConnectionLostException: Connection lost

If the above error message is shown in the log, the problem is due to a timeout event of the LDAP on the client side.

Increase the LDAP client timeout value to above 60 seconds but preferably 90 seconds. Refer to the LDAP client user guide on how to configure the timeout as some may refer to different setting names as below example:

Aruba Clearpass = Server timeout setting.

FortiAuthenticator = LDAP Server Response Timeout (Authentication -> Remote Auth. Server -> General).

Troubleshooting Tip: FortiAuthProxy user intermittent authentication failed

You are leaving our website