FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hvardhang
Staff
Staff
Description
There are few common cases where FSSO status shows down on the Fortigate.

This article describes these reasons.

Solution


First, try to run 'authd’ debug to understand the reason.
#diag debug application authd -1
#diag debug enable

First reason.

If the output ’server authentication failed , aborting’ is appearing, the reason is password mismatch on FortiGate FSSO configuration and FSSO Collector agent.
# authd_timer_run: 1 expired
authd_epoll_work: timeout 9990
authd_epoll_work: timeout 9990
Server challenge:
    90 28 5e 51 37 45 50 5b ca 4e f8 72 cf 6a 97 75
MD5 response:
    d5 f0 6b ab 39 28 6e f2 39 19 cc c1 ba bd 66 d1
authd_epoll_work: timeout 9980
_process_auth[FSSO]: server authentication failed, aborting
disconnect_server_only[FSSO]: disconnecting
Correct the password with same on FortiGate and FSSO Collector agent.
Set same password on highlighted FortiGate FSSO config and on FSSO Agent.






Second reason.
If continuous timeouts are visible as below in authd debug, run sniffer if a response is get  from FSSO collector agent.




’SYN’ packet sent from FortiGate interface IP 172.31.128.31 to 172.31.128.35 is visible.
However, there is no 'SYN+ACK'.





The reason is some communication issue between FortiGate interface to FSSO agent installed server.
If the communication/port 8000 is already opened in between, whitelist the ports on windows personal firewall on server.
In case the issue does not resolve with above cases, create a support ticket with Global Fortinet Team.


Related Articles

Technical Note : Allowing FSSO Ports when using Windows Server 2008 and higher

Contributors