Troubleshooting Tip: FSAE Troubleshooting Guide

If the collector agent is not connected, proceed to branch point 2.

Otherwise go to the 'Group Check' section.

Branch Point 2: Check the Collector Agent is running

 

Opening the collector agent configuration interface displays the status of the collector agent service.

It is also possible to check by going to Administrative Tools -> Services -> Check the 'Fortinet Server Authentication Extention' Service.

If the Collector agent is not running, go to section "Collector agent not running". Otherwise, proceed to section 'Collector Agent running but not connected'.

Section 1: Collector agent not running.

Steps to follow:

 

1.  Check if the collector agent is using a domain administrator account :  go to Administrative Tools -> Services -> Check the 'Fortinet Server Authentication Extention' Service.
   
   If it is not using a domain administrator account, please change the account.
   
   
2. If another application is using the ports used by FSAE (ports 8000 and 8002 by default) the service will not start.
   
   This can be viewed in the collector agent logs.
   
   Troubleshooting Tip : Port conflict issues giving FSAE Collector Agent stopped message provides additional information.
   
   
3. Finally, checking the collector agent logs will show any other errors that are preventing the collector agent from starting.

 

Section 2: Collector Agent running but not connected.

 

Steps description:

 

1. A common problem is a password mismatch between the FortiGate and the collector agent. Reset the password between the two devices.

    

   The password is set on the main page on the Collector agent and on the FortiGate unit by going to User -> Directory Service -> Edit FSAE connector -> Password.
   
   

2. Another reason for the FortiGate not being able to connect to the collector agent is that a Firewall (host firewall or network firewall) is blocking the FSAE TCP port 8000.
   
   Make sure nothing is blocking the traffic between the FortiGate and the collector agent.
   
   

3. A sniffer trace can be gathered on the FortiGate and the collector agent.
   
   The following command will start capturing traffic on the FortiGate :

diagnose sniff packet any 'host <collector agent IP address> and port 8000'

 

It is also possible to check the FSAE process debug output on the FortiGate by using the commands:

diagnose debug enable
diagnose debug application authd 8256

Note: Ensure the server where the Agent is running has the latest updates/patches. Failure to run the latest patches could lead to this behavior.

Section 3: Group Check.

 

Steps description:

1. If the groups are not visible on the collector agent, check the collector agent groups using 'group filter'. Verify the groups configuration.
   
   
2. Verify if the groups on the FortiGate  and the collector agent are using the same mode. More on FSAE modes can be found in the article 'FSAE Windows Directory Access Methods - Standard versus Advanced' (see the related articles section below).
   
   
3. Proceed to branch point 3.

 

Branch Point 3: Check whether logon events are seen on the FortiGate.

 

The FortiGate will need to see the logon event when the user logs in to this PC.

It is possible to check if the FortiGate is receiving logon events by running the following commands:

If there are ANY users logged in, proceed to branch point 4.

Otherwise, proceed to the section 'Not seeing logon events'.

Section 4: Not seeing logon events.

 

Steps description:

 

 

1. Make sure the DC agent is installed on ALL domain controllers.

    

   If there are any problems pushing out the DC agent, it is possible to refer to article 'Troubleshooting FSAE DC agent installation problems' for more info (See related articles).

   To confirm that the DC agent is installed, it is possible to refer to article 'Where is DCagent service' in the related articles.
   
   

2. If an LDAP server has been configured on the FSAE connector (on the FortiGate go to User -> Directory Service -> Edit FSAE connector -> LDAP:(
   
   Try to disable it and running the commands from branch point 3 again.
   An incorrectly configured LDAP server is a common cause for not seeing the logon events on the FortiGate.
   
   

3. If this does not resolve the issue, open a support ticket.
   
   

Branch Point 4: Is the test user show up in the FSAE list ?

 

Focusing on a single test user will help for further troubleshooting.

Information to collect about the 'test' user:

 

• Account username of the user currently logged in.
• IP address of the test host: It is possible to run 'ipconfig' to get the IP of the host.
• Host DNS name: It is possible to run the command 'hostname' to get the host name.
• Logon server name: This is the domain controller that the host used to authenticate. It is possible to get this info by running the command 'echo %logonserver%'.

 

Once all information about the test host has been gathered, it is possible to run the following commands on the FortiGate:

If the user appears on the list, proceed to the 'User in FSAE list' section. Otherwise, proceed to the 'User not in FSAE list' section.

Section 5: User in FSAE list.

 

Steps description:

 

 

1. If the user is on the list but has an incorrect IP, it will be necessary to check the DNS settings on the DNS server.

   A common problem is with multi-homed hosts (i.e. hosts with more than one network interface).

   A multi-homed host may resolve host name to the IP address of one interface while send traffic out another.

   The FortiGate will receive traffic from the IP of the other interface and think the host is not authenticated.
   
   

2. If the user does have the correct IP but not the correct groups, it is necessary to disable group caching on the collector agent. More on group caching, as well as how to disable this feature, can be found in 'New Feature in FSAE build 42 and later (Group caching)' (see related articles below).
   
   

3. If the username, IP and groups are all correct but the user is still not able to access the Internet, the issue may be due to a Firewall Policy setting. See the article 'Only the first authenticated group allowed through policy' (see related articles below).
   
   

 

Section 6: User not in FSAE list.

 

Steps description:

1. Check the IP address of the host.

   If the IP is listed with the username of a service account, the service account is generating a logon event and is overriding the user's logon.

   A good article on this issue is 'Windows application forces to log-off the current user on FSAE and access through the FortiGate is blocked' (see related articles below).
   
   

2. If the user recently moved to a new group try disabling group caching. More on group caching as well as how to disable this feature can be found on 'New Feature in FSAE build 42 and later (Group caching)' (see related articles below).
   
   

3. Make sure the log level is set to 'information'. Start at the end of the file and search backwards for the IP of the test host. If not found, search for the username of the test host. If still not found, search for the hostname of the test host. If the host is found in any of the searches, proceed to subsection A. Otherwise, proceed to subsection B.
   
   

Subsection A: User found in collector agent logs.

Steps description:

1. Check if there are any DNS errors in the collector agent for the host name.

   These include the collector agent unable to resolve the host name at all or resolving to an incorrect IP.

   Either way, it will be necessary to check the DNS server.

2. If the collector agent logs show that the host timed out, the collector agent was not able to connect to the host on port 139 and 445 to verify the user.

   Additionally, see the related article 'User status Not Verified' on the collector agent ' (See related articles below).
   
   

3. If all of the steps above fail, open a support ticket

Subsection B: User not found in collector agent logs.

If the user is not in the collector agent logs, the logon event was probably not sent by the DC agent. Check which domain controller authenticated the host (run 'echo %logonserver%' on the host) and troubleshoot that domain controller

Make sure the DC is installed on the domain controller.

If it is not, install the DC agent (if problems, refer to article 'Troubleshooting FSAE DC agent installation problems' in the related article section below).

If the DC agent is installed, enable logging on the DC agent and check if there are any errors in the DC agent logs.