FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 229136



This article explains the global 'set remoteauthtimeout' and user radius 'set timeout', as well as how they work together.








The two timeout values have different uses:


  • remoteauthtimeout (global setting): defines the time the FortiGate will wait for a reply from an external authentication server.
  • timeout (radius setting): defines how long the FortiGate will wait before re-sending the same RADIUS Access-Request ID.


Consider a scenario where multiple RADIUS servers are in use, such as in the configuration below:


config user radius

edit "1"
set server ""
set secret ENC hY5pf3kB6I194o7Sxy5xvndg+XubFJsunCcJ6pK2e5zEtYT9DM/Xe+M6M3QV2jY6I/GvHYWCEOcKufrPTGmO9e/TCzGGREg3djgRFpQ7Kf1kONvZcxlUoLCY3lmVke6XavSThFfwU23nj9KUgosAFz65BxlBFS4zbf4+UWN9oh+RlkVMbJ5R9hZNegBdrsmbH8rqrQ==
set secondary-server ""
set secondary-secret ENC Rj8GoTTyJfLFq9/kESCUlFLIfyeGKP+ej6LuX+DgKQ9sD94PcpMoX78ghTnYfQMN5lb9Q2IiuTUtleSDAS+Mfrm22BHib7iGcD4CD8TcWtjiW79YMwuJOV9NCdkXhFsK+E8tsJ6LzRwJ+/v/iYSMRh3o6GnoKpxyuoMF+VmtCAjtqU8YGf1yAzhp9doNSu+b5qInHg==



The FortiGate will try to use server first and, after a certain period of time with no response (determined by remoteauthtimeout), will abort the attempt and connect to the second server,
The default value of remoteauthtimeout is 5 seconds.


get | grep remoteauthtimeout
remoteauthtimeout : 5


This means that, after 5 seconds, the FortiGate will use




However, there is a second timeout value that controls the interval that the FortiGate will wait before it queries the same server again. The value can be set under 'config user radius'. Its default setting is also 5 seconds.


config user radius

edit 1

get | grep timeout
timeout : 5


If both globals are set to their default, the FortiGate will make a second attempt to connect to the first server before aborting the attempt and connecting to the second server instead:




If remoteauthtimeout is changed to a higher value, the FortiGate will make as many attempts as 'set interval' fits into the value. For example, when remoteauthtimeout is 10 seconds and the default interval between retries is 5 seconds, FortiGate will attempt 2 retries before the secondary server is used:




Finally, if the timeout value under user radius is higher than remoteauthtimeout, no retry will be attempted. The secondary server will be used as soon as remoteauthtimeout is reached.


Take in consideration that these timers don't affect Wireless connection, because the Wifi cannot wait longer time to complete the authentication.


Example global change:


config system global

set remoteauthtimeout 10