Description
This article describes the behavior when LDAP authentication fails when ha-direct is enabled.
Scope
FortiOS 7.4.8 and earlier, FortiOS 7.6.2 and earlier.
Solution
In general, 'fnbamd' process checks three configuration to identify how to route the local traffic, (1) interface-select, (2) ha-direct, and (3) source-ip. This configuration controls the connection initiation and can override each other.
When ha-direct is enabled, independent of the LDAP server configuration, it can cause connectivity issues to the LDAP server.
HA management interface is required before enabling HA-direct:
config system ha
set ha-mgmt-status enable
config ha-mgmt-interface
edit <x>
set interface <interface name>
set gateway <xxx.xxx.xxx.xxx>
next
end
Then enable HA-direct globally:
config system ha
set ha-direct enable
end
After enabling ha-direct, the connectivity to LDAP server fails. Running the following debugs shows the following output where connection to LDAP server is timing out.
FGT # diagnose debug application fnbamd -1
FGT # diagnose debug application sslvpnd -1
FGT # diagnose debug enable
[...output omitted...]
[1757] __auth_ctx_start-Connection starts AdminUser1:10.15.20.1, addr 10.15.20.1:389
[1448] __ldap_tcps_open-vfid 2, addr 10.15.20.1, src_ip 10.15.70.20, ssl_opt 0, use_ha_relay 0
[1171] fnbamd_socket_update_interface-vfid is 2, intf mode is 0, intf name is , server address is 10.15.20.1:389, source address is 10.15.70.20:0, protocol number is 6, oif id is 0 <-----output interface is incorrect
[1472] __ldap_tcps_open-oif=0, intf_sel.mode=0, intf_sel.name=
[1491] __ldap_tcps_open-Still connecting 10.15.20.1.
[1508] __ldap_tcps_open-Start ldap conn timer.
[1584] __ldap_conn_start-Socket 11 is created for LDAP 'AdminUser1'.
[674] __ldap_add_job_timer-
[439] fnbamd_cfg_get_pop3_list-
[396] __fnbamd_cfg_get_pop3_list_by_server-
[221] fnbamd_pop3_get-vfid=1, name='AdminUser1'
[333] fnbamd_pop3_auth_ctx_push-Failed to create pop3 ctx for 'AdminUser1'.
[449] fnbamd_cfg_get_pop3_list-Total pop3 servers to try: 0
[434] start_remote_auth-Total 1 server(s) to try
[1900] handle_req-r=4
[597] __ldap_conn_timeout-Connction with AdminUser1:10.15.20.1 timed out. <----timed out
[1677] __ldap_error-Ret 10, st = 0.
[1691] __ldap_error-Conn failed.
[905] fnbamd_cfg_ldap_update_reachability-10.15.20.1, conn_fails 1/5
[1698] __ldap_error-
[1518] __ldap_tcps_close-closed.
[1602] __ldap_conn_stop-Stop ldap conn timer.
The error 'oif id is 0' suggests that FortiGate is unable to determine the corresponding outgoing interface to route the traffic.
This can also be observed when LDAP authentication works on the GUI, but fails when performed on the CLI using the following command.
FGT # diagnose test authserver ldap USERGROUP username password
This behavior has been addressed by Engineering and is resolved in FortiOS 7.4.9 and FortiOS 7.6.4.
FortiOS 7.6.4 is now available to to download.
FortiOS 7.4.9 is currently scheduled to release in the middle of September.
Note that these dates are subject to change.
In this fixed release, setting 'interface-select' (i.e. 'specify' or 'sdwan') will override ha-direct configuration. Additionally, setting source-ip will disable ha-direct for the connection to authentication server such as LDAP. Note that interface-selection and source-ip are independent of each other so there is no override between these two configurations. On HA secondary, setting either interface-select or source-ip would result to ha-direct being ignored.
Disabling ha-direct resolves this issue as a workaround.
Related articles:
Technical Tip: FortiGate LDAP configuration, Network connectivity options
Technical Tip: How to configure FortiGate to use an LDAP server
