Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rbraha
Staff
Staff

Created on ‎06-12-2025 02:05 AM Edited on ‎09-15-2025 10:49 PM By Moderator

Article Id 395849

Technical Tip: IPsec authentication with FortiAuthenticator as RADIUS server failing with error 'FNBAM_TIMEOUT'

Description

 

This article describes how to fix the error 'FNBAMD_TIMEOUT' when users try to authenticate with an IPSec tunnel using FortiAuthenticator as a RADIUS Server.

 

Scope

 

FortiGate.

 

Solution

 

After configuration of an IPsec tunnel on FortiGate with FortiAuthenticator and running debug logs on FortiGate as well as checking radius debug logs from FortiAuthenticator, authentication is failing with the below error 'FNBAMD_TIMEOUT'.

 

diagnose debug reset
diagnose debug cons time enable
diagnose debug application fnbamd -1
diagnose vpn ike log filter rem-addr4 <RemoteClientIp>
diagnose debug app ike -1
diagnose debug enable

 

From FortiAuthenticator https://<FortiAuthenticator -IP/debug/RADIUS.

 

2025-05-26T09:40:29.805826+02:00 FortiAuthenticator radiusd[39954]: (858) facauth: This is a response to Access-Challenge
2025-05-26T09:40:29.805833+02:00 FortiAuthenticator radiusd[39954]: (858) facauth: Partial auth user found
2025-05-26T09:40:29.805839+02:00 FortiAuthenticator radiusd[39954]: (858) facauth: Request contains FTM push trigger
2025-05-26T09:40:29.805844+02:00 FortiAuthenticator radiusd[39954]: (858) facauth: Sending FTM push notification
2025-05-26T09:40:29.805850+02:00 FortiAuthenticator radiusd[39954]: (858) facauth: Initiate push_auth for test @ local
2025-05-26T09:40:29.807107+02:00 FortiAuthenticator radiusd[39954]: (858) facauth: initiate_push_auth:Initiating push auth session with session_id = fYjIAMEpvbnwYnAlpk6F1Lmc80zhp3j9
2025-05-26T09:40:29.807127+02:00 FortiAuthenticator radiusd[39954]: (858) facauth: Successfully found partially authenticated user instance.
2025-05-26T09:40:29.807854+02:00 FortiAuthenticator radiusd[39954]: (858) facauth: Hold request to wait for FTM push notification reply (request will be dropped after 60 sec)
2025-05-26T09:40:29.807877+02:00 FortiAuthenticator radiusd[39954]: (858) facauth: update_fac_authlog:164 nas_str = 10.20.250.9~91.30.91.255.
2025-05-26T09:40:29.807929+02:00 FortiAuthenticator radiusd[39954]: (858) facauth: Updated auth log 'test' for attempt from 10.20.250.9~91.30.91.255: Local user authentication partially done (chosen FTM push notification), expecting FortiToken
2025-05-26T09:40:29.807962+02:00 FortiAuthenticator radiusd[39954]: (858) # Executing section post-auth from file /usr/etc/raddb/sites-enabled/default

2025-05-26T09:40:37.889110+02:00 FortiAuthenticator radiusd[39954]: (859) Received Access-Request Id 0 from 127.0.0.1:36657 to 127.0.0.1:1812 length 123
2025-05-26T09:40:37.889119+02:00 FortiAuthenticator radiusd[39954]: (859) User-Name = "test"
2025-05-26T09:40:37.889125+02:00 FortiAuthenticator radiusd[39954]: (859) NAS-IP-Address = 127.0.0.1
2025-05-26T09:40:37.889133+02:00 FortiAuthenticator radiusd[39954]: (859) NAS-Port = 20
2025-05-26T09:40:37.889139+02:00 FortiAuthenticator radiusd[39954]: (859) State = 0x31
2025-05-26T09:40:37.889144+02:00 FortiAuthenticator radiusd[39954]: (859) NAS-Identifier = "FTM_PUSH:fYjIAMEpvbnwYnAlpk6F1Lmc80zhp3j9"

2025-05-26T09:40:37.889461+02:00 FortiAuthenticator radiusd[39954]: (859) facauth: This is a response to Access-Challenge
2025-05-26T09:40:37.889467+02:00 FortiAuthenticator radiusd[39954]: (859) facauth: Trying to find FTM push auth user: test session_id: fYjIAMEpvbnwYnAlpk6F1Lmc80zhp3j9
2025-05-26T09:40:37.889473+02:00 FortiAuthenticator radiusd[39954]: (859) facauth: Partial auth user found
2025-05-26T09:40:37.889480+02:00 FortiAuthenticator radiusd[39954]: (859) facauth: Successfully found partially authenticated user instance.
2025-05-26T09:40:37.889486+02:00 FortiAuthenticator radiusd[39954]: (858) Switch to the original request from 10.20.250.9 id=42 to continue FTM push auth
2025-05-26T09:40:37.890323+02:00 FortiAuthenticator radiusd[39954]: (858) Check push_auth for FTK-Mobile client

2025-05-26T09:40:37.892233+02:00 FortiAuthenticator radiusd[39954]: (858) facauth: sending Access-Accept packet for FTM push auth to 10.20.250.9 port 14660, id=42, code=2, length=219
2025-05-26T09:40:37.892265+02:00 FortiAuthenticator radiusd[39954]: (859) # Executing section post-auth from file /usr/etc/raddb/sites-enabled/default
2025-05-26T09:40:37.892288+02:00 FortiAuthenticator radiusd[39954]: (859) Sent Access-Accept Id 0 from 127.0.0.1:1812 to 127.0.0.1:36657 length 20

At this point, FortiAuthenticator is working as expected, and the RADIUS request is being accepted without any issues.

 

From IKE-Debugs on FortiGate:

2025-05-26 09:40:34 [600] destroy_auth_session-delete session 8770395123757
2025-05-26 09:40:34 [1347] fnbamd_rads_destroy-
2025-05-26 09:40:34.815228 ike V=root:0:rac-rb_ewe:1453437 EAP 8770395123757 result FNBAM_TIMEOUT
2025-05-26 09:40:34.815247 ike V=root:0:rac-rb_ewe: EAP failed for user "test"
2025-05-26 09:40:34 [516] fnbamd_rad_auth_ctx_free-Freeing 'FAC_RADIUS' ctx

 

Solution:

Under RADIUS Configuration in FortiGate CLI, try to increase the timeout from 5s (which is the default value) to 30s.

 

config user radius

    edit "FortiAuthenticator"

        set timeout 30 

    next 

end 

 

Go to global configuration in FortiGate and increase remoteauthtimeout from 30s (which is the default value) to 60s.

 

config system global

    set remoteauthtimeout 60 

    next

end

Labels:
612
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.