FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
athirat
Staff
Staff
Article Id 189403

Description

 

This article describes how to increase the timeout on FortiGate for LDAP queries.

 

Scope

 

FortiGate.

Solution

 

In some cases, the LDAP server is not directly connected to FortiGate, and due to a delay in the path, the LDAP query is not recording a timeout. 'fnbamd debugs' on FortiGate will record an entry. Here are the commands to run on CLI for 'fnbamd debugs' :

diagnose debug reset

diagnose debug application fnbamd -1

diagnose debug enable

To stop the debug:

 

diagnose debug disable

diagnose debug reset

 

2020-03-17 20:27:50 [823] __ldap_timeout-
2020-03-17 20:27:50 [798] __ldap_try_next_server-LDAP 'LDAP' conn failed, svr: ldap-test
2020-03-17 20:27:50 [764] __ldap_error-
2020-03-17 20:27:50 [753] __ldap_stop-svr 'LDAP'
2020-03-17 20:27:50 [3246] fnbamd_ldap_result-Error (3) for req 608660764

 

Or errors like: 

 

024-08-26 14:38:22 [1257] __ldap_rxtx-Start ldap conn timer.
2024-08-26 14:38:22 [594] __ldap_conn_timeout-Connction with LDAP:192.168.x.x timed out.
2024-08-26 14:38:22 [1642] __ldap_error-Ret 10, st = 3.
2024-08-26 14:38:22 [1679] __ldap_error-
2024-08-26 14:38:22 [1485] __ldap_tcps_close-closed.
2024-08-26 14:38:22 [1567] __ldap_conn_stop-Stop ldap conn timer.

 

Debug can be run for SSL VPN as well:

 

diagnose debug reset

diagnose debug application sslvpn -1

diagnose debug enable

 

The following error can be observed :

 

2025-03-17 10:45:58 [239:root:2b]fam_auth_proc_resp:1365 fnbam_auth_update_result return: 10 (timeout)
2025-03-17 10:45:58 [239:root:2b][fam_auth_proc_resp:1505] Authenticated groups (5) by FNBAM with auth_type (1):
2025-03-17 10:45:58 [239:root:2b]Received: auth_rsp_data.grp_list[0] = 0
2025-03-17 10:45:58 [239:root:2b]Received: auth_rsp_data.grp_list[1] = 0
2025-03-17 10:45:58 [239:root:2b]Received: auth_rsp_data.grp_list[2] = 0
2025-03-17 10:45:58 [239:root:2b]Received: auth_rsp_data.grp_list[3] = 0
2025-03-17 10:45:58 [239:root:2b]Received: auth_rsp_data.grp_list[4] = 0
2025-03-17 10:45:58 [239:root:2b]login_failed:480 user[USERNAME],auth_type=1 failed [sslvpn_login_unknown_reason]

 

In this case, 2 timeout values need to be taken into account.

 

config sys global
    set remoteauthtimeout <in seconds>                                  <----- By default 5 seconds.
    set ldapconntimeout <in milliseconds>                             <----- By default 500 milliseconds.
end

 

remoteauthtimeout Enter an integer value from <1> to <300> (default = <5>)

ldapconntimeout Enter an integer value from <1> to <300000> (default = <500>)

 

Increasing these timeouts will result in a successful LDAP query.

 

On FortiOS v7.4.4, there is a change to how ldapconntimeout works. Originally, this setting only controlled the timeout used when measuring LDAP TCP session setup, but now it also measures the length of time for packet read/write by the fnbamd process. More information: Technical Tip: TACACS+ and LDAP-proxy authentication stopped working after upgrading to FortiOS v7.4...

 

Related articles:

Troubleshooting Tip: SSL VPN 'permission denied' error while using DUO as Two-Factor Authentication ... 

Troubleshooting Tip: FortiGate admin login LDAP authentication randomly failing, debug error code 'l...