| Description | This article describes how the Collector agent configured on the FortiGate is not designed to operate in an Active-Active setup. |
| Scope | FortiGate |
| Solution |
The Collector agent does not function in either Active-Passive or Active-Active setups. If one of the configured servers becomes unreachable, the FortiGate will try to reach the other server in the same fabric connector, if configured. Refer to Technical Tip: FSSO Collector Agent failover configuration for more details.
If different servers are configured to monitor the same domains in different FSSO fabric connectors, the group information is fetched from the first server. The second server will not display any group information, as it detects the groups as duplicates, as shown below. The logs will indicate that the groups already exist.
Capture the logs using the following authd daemon, and observe similar output to the following:
diagnose debug reset diagnose debug application authd -1 diagnose debug console timestamp enable diagnose debug enable
To stop debugging:
diagnose debug disable diagnose debug reset
_process_ad_info[AJCH-NEWDCS]: group Auth_group4 exists (vd=WAN)
If the environment includes multiple FSSO Collector Agents, all agents must be configured identically to ensure that user identity information is correctly sent to the FortiGates.
All settings for the FSSO Collector Agents must be configured manually, except for group filters and ignored user lists.
These parameters can be synchronized between one Collector Agent and others. Synchronization is accomplished using the 'Sync configuration with other agents' option (a button in the FSSO Collector Agent Configuration GUI). This option allows group filters and ignored user lists to be pushed from the source FSSO Collector Agent to all selected agents.
Related articles: Technical Tip: FSSO Collector Agent failover configuration Technical Tip: FSSO Collector Agent - sync configuration with other agents |
