Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
princes
Staff
Staff

Created on ‎09-04-2025 03:30 AM Edited on ‎09-28-2025 08:12 PM By Staff & Editor

Article Id 409534

Technical Tip: LDAP Test Connectivity successful but user authentication fails for SSL VPN

Description This article explains the reason for authentication failure, even if the test connectivity for the LDAP user is successful.
Scope FortiGate v7.4.4 and above.
Solution

In case the LDAP user test credential shows successful, but user authentication fails with below error:

 

Screenshot 2025-09-04 131047.png

 

[1489] __ldap_tcps_open-oif=0, intf_sel.mode=1, intf_sel.name=
[1508] __ldap_tcps_open-Still connecting 10.1.1.5.
[1525] __ldap_tcps_open-Start ldap conn timer.
[1601] __ldap_conn_start-Socket 12 is created for LDAP 'Azure-sso'.
[673] __ldap_add_job_timer-
[316] radius_start-eap_local=0
[901] fnbamd_cfg_get_radius_list-
[692] __fnbamd_cfg_get_radius_list_by_user-
[639] __fnbamd_cfg_add_radius_by_user-
[923] fnbamd_cfg_get_radius_list-Total rad servers to try: 0
[439] fnbamd_cfg_get_pop3_list-
[417] __fnbamd_cfg_get_pop3_list_by_group-
[449] fnbamd_cfg_get_pop3_list-Total pop3 servers to try: 0
[434] start_remote_auth-Total 1 server(s) to try
[1902] handle_req-r=4
[596] __ldap_conn_timeout-Connction with Azure-sso:10.1.1.5 timed out.
[1694] __ldap_error-Ret 10, st = 0.
[1708] __ldap_error-Conn failed.
[920] fnbamd_cfg_ldap_update_reachability-10.1.1.5, conn_fails 1/5
[1715] __ldap_error-
[1535] __ldap_tcps_close-closed.
[1619] __ldap_conn_stop-Stop ldap conn timer.
[1657] __ldap_try_next_addr-No more addr to try.
[1724] __ldap_error-
[1671] __ldap_try_next_server-
[1624] __ldap_stop-
[1619] __ldap_conn_stop-Stop ldap conn timer.
[664] __ldap_del_job_timer-
[1169] __ldap_auth_ctx_clear-
[1157] __ldap_auth_ctx_reset-
[889] fnbamd_ldap_get_auth_server-
[29] __ldap_server_free-Freeing 10.1.1.5, ref:2
[1677] __ldap_try_next_server-No more server to try.
[1731] __ldap_error-
[1619] __ldap_conn_stop-Stop ldap conn timer.
[2636] fnbamd_ldap_result-Error (10) for req 28046152232962
[239] fnbamd_comm_send_result-Sending result 10 (nid 0) for req 28046152232962, len=2604
[600] destroy_auth_session-delete session 28046152232962
[1877] fnbamd_ldap_stop-
[6530:root:e][1624] __ldap_stop-
fam_auth_proc_resp:1370 fnbam_auth_update_result return: 10 (timeout)<----- Timeout due to FortiGate did not receive any response for LDAP query.

 

The same can be verified with a packet capture: (only SYN packets sent no TCP handshake completed):

 

Screenshot 2025-09-04 130035.png

 

This happens if the device is in HA and traffic was sent out from the management interface. To mitigate this issue, disable the HA redirect on the Firewall:

 

config system ha
    set ha-direct disable
end

 

As mentioned in the following article, only enable it in case the server is routed via the management interface: Technical Tip: Sending messages (logs, SNMP) directly from the HA management interface

 

After disabling the ha-direct, the SSL VPN users were authenticated successfully.

 

This behavior has been addressed by Engineering and is resolved in FortiOS 7.4.9 and FortiOS 7.6.4.

 

FortiOS 7.4.9 and 7.6.4 are now available to download from Support Portal.

 

Related articles:

Technical Tip: LDAPS connections no longer work after update to v7.4.4

Technical Tip: LDAP Authentication Fails when ha-direct is enabled 
330
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.