Description
There are a few common cases where the FSSO status shows down on the FortiGate.
This article describes these reasons.
Scope
FortiGate.
Solution
First, try to run an 'authd’ debug to understand the reason.
diagnose debug disable
diagnose debug reset
diagnose debug application authd -1
diagnose debug enable
diagnose debug reset
diagnose debug application authd -1
diagnose debug enable
First possible reason: If the output ’server authentication fails, aborting appears, the cause is a password mismatch between the FortiGate FSSO configuration and the FSSO Collector agent.
authd_timer_run: 1 expired
authd_epoll_work: timeout 9990
authd_epoll_work: timeout 9990
Server challenge:,.
authd_epoll_work: timeout 9990
Server challenge:,.
Correct the password to be the same on both the FortiGate and FSSO Collector agents. Ensure the password does not exceed 15 characters. The character limit for passwords on the FSSO collector agent is 15 characters.
Set the same password on the highlighted FortiGate FSSO configuration and on the FSSO Agent:
Alternatively, uncheck 'Require Authenticated connection from FortiGate' on the FSSO Collector Agent and try again.
Second possible reason: If the password is correct and this error is still experienced:
authd_epoll_work: timeout 7990
Server challenge:
7b 6e 93 2d 40 37 90 24 0a 00 0e 67 92 2a 82 06
MD5 response:
1b d7 74 10 cd 29 c5 e6 53 2b 6d de a0 c5 d1 1f
authd_epoll_work: timeout 7990
_process_auth[FSSO_collector]: server authentication failed, aborting
disconnect_server_only[FSSO_collector]: disconnecting
authd_epoll_work: timeout 7990
- If a sniffer is run, connectivity is seen at port 8000 between the collector agent and GUI, but the 'disconnected' status still appears.
- The reason for this is that the service account that logged in on the collector agent side does not have enough privileges. Allow extra permissions for that account. See Technical Tip: Restricting a Fortinet Single Sign On Agent Check (FSSO) service account for instructions.
In the packet above, a 'SYN' packet sent from the FortiGate interface IP 172.31.128.31 to 172.31.128.35 is visible.
However, there is no 'SYN+ACK'.
The reason for this is a communication issue between the FortiGate interface and to FSSO agent-installed server.
If the communication/port 8000 is already opened between the two interfaces, whitelist the ports on the Windows personal firewall on the server.
Make sure to have a Windows firewall rule similar to the following:
Make sure to have a Windows firewall rule similar to the following:
netsh advfirewall firewall add rule name="Fortinet FSSO" dir=in action=allow protocol=TCP localport=8000
Example:
PS C:\Users\Administrator> netsh advfirewall firewall show rule name="Fortinet FSSO"
Rule Name: Fortinet FSSO
----------------------------------------------------------------------
Enabled: Yes
Direction: In
Profiles: Domain,Private,Public
Grouping:
LocalIP: Any
RemoteIP: Any
Protocol: TCP
LocalPort: 8000
RemotePort: Any
Edge traversal: No
Action: Allow
Ok.
PS C:\Users\Administrator> netsh advfirewall firewall show rule name="Fortinet FSSO"
Rule Name: Fortinet FSSO
----------------------------------------------------------------------
Enabled: Yes
Direction: In
Profiles: Domain,Private,Public
Grouping:
LocalIP: Any
RemoteIP: Any
Protocol: TCP
LocalPort: 8000
RemotePort: Any
Edge traversal: No
Action: Allow
Ok.
Run the following telnet command to confirm the establishment of communication:
execute telnet <FSSO_DC_IP> 8000
Here, 8000 is the port that was used for FSSO communication between FortiGate and the FSSO agent.
Check if the Collector Agent is listening on TCP/8000
netstat -ano | findstr :8000
Fourth possible reason: Traffic might be routed via the wrong interface/IP. In that case, make sure to configure the source IP under FSSO settings via CLI:
config user fsso
edit "FAC"
set server "10.9.10.31"
set source-ip 10.9.11.33
next
end
edit "FAC"
set server "10.9.10.31"
set source-ip 10.9.11.33
next
end
If the instructions above do not resolve the issue, create a support ticket with the Global Fortinet Team.
Related articles:
Technical Note : Allowing FSSO Ports when using Windows Server 2008 and higher.
Troubleshooting Tip: FortiGate cannot connect to FSSO Agent on Windows AD.
Technical Tip: Useful FSSO Commands.
Troubleshooting Tip: FSSO CA initial troubleshooting.
Technical Tip: How to Troubleshoot FSSO missing logins in FortiGate in DC agent mode.
