FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hvardhang
Staff
Staff
Article Id 193790

Description


There are a few common cases where FSSO status shows down on the FortiGate.
This article describes these reasons.

 

Scope

 

FortiGate.

Solution

 
 
First, try to run 'authd’ debug to understand the reason.
 
diag debug application authd -1
diag debug enable
 
First possible reason: If the output ’server authentication failed , aborting’ appears, the cause is a password mismatch between the FortiGate FSSO configuration and the FSSO Collector agent.
 
authd_timer_run: 1 expired
authd_epoll_work: timeout 9990
authd_epoll_work: timeout 9990
Server challenge:,.
 
Correct the password to be the same on both the FortiGate and FSSO Collector agent. Ensure the password does not exceed 15 characters. The character limit for passwords on the FSSO collector agent is 15 characters.
 
Set the same password on the highlighted FortiGate FSSO configuration and on the FSSO Agent:
 
 
 
Alternatively, uncheck 'Require Authenticated connection from FortiGate' on the FSSO Collector Agent and try again.
 
Second possible reason: If the password is correct and this error is still experienced:


Server challenge:

7b 6e 93 2d 40 37 90 24 0a 00 0e 67 92 2a 82 06

MD5 response:

1b d7 74 10 cd 29 c5 e6 53 2b 6d de a0 c5 d1 1f

_process_auth[FSSO_collector]: server authentication failed, aborting
disconnect_server_only[FSSO_collector]: disconnecting

 

 

Third possible reason: If continuous timeouts are visible as below in the auth debug, run a sniffer if a response is obtained from the FSSO collector agent.
 
 
In the packet above, a 'SYN' packet sent from the FortiGate interface IP 172.31.128.31 to 172.31.128.35 is visible.
However, there is no 'SYN+ACK'.
 
 
The reason for this is a communication issue between the FortiGate interface to FSSO agent installed server.
If the communication/port 8000 is already opened between the two interfaces, whitelist the ports on Windows personal firewall on the server.
 
Run the following telnet command to confirm the establishment of communication:
 
exe telnet <FSSO_DC_IP> 8000
 
Here, 8000 is the port which was used for FSSO communication between FortiGate and the FSSO agent.
 
If the instructions above do not resolve the issue, create a support ticket with the Global Fortinet Team.

 

 

Related articles:

Technical Note : Allowing FSSO Ports when using Windows Server 2008 and higher.

Troubleshooting Tip: FortiGate cannot connect to FSSO Agent on Windows AD.

Technical Tip: Useful FSSO Commands.

Troubleshooting Tip: FSSO CA initial troubleshooting.

Technical Tip: How to Troubleshoot FSSO missing logins in FortiGate in DC agent mode.