Created on
04-21-2020
12:10 AM
Edited on
05-14-2025
12:54 AM
By
Jean-Philippe_P
Description
This article describes how to increase the timeout on FortiGate for LDAP queries.
Scope
FortiGate.
Solution
In some cases, the LDAP server is not directly connected to FortiGate, and due to a delay in the path, the LDAP query is not recording a timeout. 'fnbamd debugs' on FortiGate will record an entry. Here are the commands to run on CLI for 'fnbamd debugs' :
diagnose debug reset
diagnose debug application fnbamd -1
diagnose debug enable
To stop the debug:
diagnose debug disable
diagnose debug reset
2020-03-17 20:27:50 [823] __ldap_timeout-
2020-03-17 20:27:50 [798] __ldap_try_next_server-LDAP 'LDAP' conn failed, svr: ldap-test
2020-03-17 20:27:50 [764] __ldap_error-
2020-03-17 20:27:50 [753] __ldap_stop-svr 'LDAP'
2020-03-17 20:27:50 [3246] fnbamd_ldap_result-Error (3) for req 608660764
Or errors like:
024-08-26 14:38:22 [1257] __ldap_rxtx-Start ldap conn timer.
2024-08-26 14:38:22 [594] __ldap_conn_timeout-Connction with LDAP:192.168.x.x timed out.
2024-08-26 14:38:22 [1642] __ldap_error-Ret 10, st = 3.
2024-08-26 14:38:22 [1679] __ldap_error-
2024-08-26 14:38:22 [1485] __ldap_tcps_close-closed.
2024-08-26 14:38:22 [1567] __ldap_conn_stop-Stop ldap conn timer.
Debug can be run for SSL VPN as well:
diagnose debug reset
diagnose debug application sslvpn -1
diagnose debug enable
The following error can be observed :
2025-03-17 10:45:58 [239:root:2b]fam_auth_proc_resp:1365 fnbam_auth_update_result return: 10 (timeout)
2025-03-17 10:45:58 [239:root:2b][fam_auth_proc_resp:1505] Authenticated groups (5) by FNBAM with auth_type (1):
2025-03-17 10:45:58 [239:root:2b]Received: auth_rsp_data.grp_list[0] = 0
2025-03-17 10:45:58 [239:root:2b]Received: auth_rsp_data.grp_list[1] = 0
2025-03-17 10:45:58 [239:root:2b]Received: auth_rsp_data.grp_list[2] = 0
2025-03-17 10:45:58 [239:root:2b]Received: auth_rsp_data.grp_list[3] = 0
2025-03-17 10:45:58 [239:root:2b]Received: auth_rsp_data.grp_list[4] = 0
2025-03-17 10:45:58 [239:root:2b]login_failed:480 user[USERNAME],auth_type=1 failed [sslvpn_login_unknown_reason]
In this case, 2 timeout values need to be taken into account.
config sys global
set remoteauthtimeout <in seconds> <----- By default 5 seconds.
set ldapconntimeout <in milliseconds> <----- By default 500 milliseconds.
end
remoteauthtimeout Enter an integer value from <1> to <300> (default = <5>)
ldapconntimeout Enter an integer value from <1> to <300000> (default = <500>)
Increasing these timeouts will result in a successful LDAP query.
On FortiOS v7.4.4, there is a change to how ldapconntimeout works. Originally, this setting only controlled the timeout used when measuring LDAP TCP session setup, but now it also measures the length of time for packet read/write by the fnbamd process. More information: Technical Tip: TACACS+ and LDAP-proxy authentication stopped working after upgrading to FortiOS v7.4...
Related articles:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.