Description

This article describes how to troubleshoot FSSO TS Agent when 'the website showing no 'username on block page' appears.

Scope

FortiGate.

Solution

Let the user login into the terminal server.

Open TS Agent configuration: select logging to Debug (use server Admin account).
Let end user login into the terminal server and initiate web traffic.

Verify the user login information can be seen on Collector Agent.

On Terminal Server debug logs, check for user related events.

Sample user information looks like this:

Session 5 is allocated to the User xxxxx and port range is: 2224-2423.

01-02-2020 09:45:48 [0000112c] session ID:5, username: xxxxx, domain: fortinet
01-02-2020 09:45:48 [0000112c] session ID:5 has added to session table
01-02-2020    45:48 [0000112c] succeeded to allocate port range 2224-2423 for session 5

Successfully allocated SRC port log (the allocated port has to be within the allocated range) for the user traffic.

CDriver allocate port 2224 for request 10440 of session 5 protocol 6, time:15
Session 5                              <----- The user session ID.
Port 2224                              <----- In the range of allocated port range.
Allocate port                          <----- TS agent is successfully allocated the port for a request.

Port range for request.

Note:
Session ID - 0 is used for system resources.

If all the allocated ports are exhausted, then we should be able to see the below log.

Cdriver failed to allocate port for request 10410 of session 5 protocol 6, time:0
Session 5                              <----- The user session ID.
Port                                   <----- No port available in the port range for session 5.

Verify the login details on the FortiGate.

Verify if the logon is pulled from the FSSO by the FortiGate.

diag firewall auth list | grep -i michael -A 7
10.0.53.7, Michael
type: fsso_citrix, id: 4, duration: 63444, idled: 63444
server: Fortinet_FSSO_Access_List
packets: in 0 out 0, bytes: in 0 out 0
group_id: 8
group_name: Fortinet_FSSO_All_Users
port_range: (2224-2423)

diag firewall auth list | grep -i MONITOR -A 7
FortiGate-40F-FIEL # dia firewall auth list | grep -i MONITOR -A 7
192.168.0.18, MONITOR
type: fsso_citrix, id: 8, duration: 584139, idled: 584139
server: FSSO SRVAD-02
packets: in 0 out 0, bytes: in 0 out 0
group_id: 4 33554484 33554464 33554474 33554446 33554526 33554499 33554490
group_name: GRP_ACESS_SEGURITY FIEL/USERS 
port_range: (2224-2423)

For TS-Agent, the source port is important and it is necessary to verify from which source port the traffic was sent. This can be done by a packet capture on the FortiGate.

diagnose sniffer packet any 'host <web server IP>' 4

Note:

In the case of an explicit proxy, the webserver IP will not help the sniffer to show the terminal server's source port. Use a more broad filter for the terminal server instead.

diagnose sniffer packet any 'host <terminal server IP>' 4

Verify the session list for the user’s session.

diagnose sys session filter dst <webserver ip>
diagnose sys session list

If src_port is different than the allocated port range in the packet capture and session list, the TS-Agent log needs to be checked along with which process uses that specific source port range that is assigned to the user.

Terminal Server.
Use the Debug option button in the TS Agent to collect the user port allocation process.

An example of the error in the debug file:

10-22-2024 07:11:28 [00001790] Message WTS_REMOTE_CONNECT, session ID:31
10-22-2024 07:11:28 [00001790] Failed to get username for session ID:31
10-22-2024 07:11:30 [00001790] Message WTS_SESSION_LOGON, session ID:31
10-22-2024 07:11:30 [00001790] session ID:31, username: comercial, domain: FIEL
10-22-2024 07:11:30 [00001790] session ID:31 has added to session table
10-22-2024 07:11:30 [00001790] succeeded to allocate port range 7671-7870 for session 31 

Use the below command in CMD or Power Shell to get the output:

Get-NetTCPConnection | sort-object owningprocess

 

Related article:

Technical Tip: FSSO TS-Agent troubleshooting steps