Description

This article describes how to troubleshoot the FSSO TS Agent and how to enable debug log level.

Example of TS-Agent not working as expected: when accessing websites from the RDP server and not matching the correct FortiGate/FortiProxy policy (optionally website shows the Fortinet block page with a missing or wrong username).

Scope

FortiGate, FortiProxy, FSSO.

Solution

Let the user log in to the terminal server.

Open TS Agent configuration: select logging to Debug (use server Admin account).
Let the end user log in to the terminal server and initiate web traffic.

Verify that the user login information can be seen on the Collector Agent.

On Terminal Server debug logs, check for user-related events.

Sample user information looks like this:

Session 5 is allocated to the User fortiuser and the port range is: 2224-2423.

10-22-2024 09:45:48 [0000112c] session ID:5, username: fortiuser, domain: fortinet
10-22-2024 09:45:48 [0000112c] session ID:5 has added to session table
10-22-2024 09:45:48 [0000112c] succeeded to allocate port range 2224-2423 for session 5

Successfully allocated SRC port log (the allocated port has to be within the allocated range) for the user traffic.

CDriver allocate port 2224 for request 10440 of session 5 protocol 6, time:15
Session 5                             <----- The user session ID.
Port 2224                             <----- In the range of allocated ports range.
Allocate port                         <----- TS agent has successfully allocated the port for a request.

Port range for request.

Note:
Session ID - 0 is used for system resources.

If all the allocated ports are exhausted, then we should be able to see the following log.

Cdriver failed to allocate port for request 10410 of session 5 protocol 6, time:0
Session 5                             <----- The user session ID.
Port                                  <----- No port available in the port range for session 5.

Verify the login details on the FortiGate.
Verify if the logon is pulled from the FSSO by the FortiGate.

diagnose firewall auth list | grep -i xxxxx -A 7
10.0.53.7, fortiuser
type: fsso_citrix, id: 4, duration: 63444, idled: 63444
server: Fortinet_FSSO_Access_List
packets: in 0 out 0, bytes: in 0 out 0
group_id: 8
group_name: Fortinet_FSSO_All_Users
port_range: (2224-2423)

For TS-Agent, the source port is important, and it is necessary to verify from which source port the traffic was sent. This can be done by a packet capture on the FortiGate.

diagnose sniffer packet any 'host <web server IP>' 4

Note:

In the case of an explicit proxy, the web server IP will not help the sniffer to show the terminal server's source port. Use a broader filter for the terminal server instead.

diagnose sniffer packet any 'host <terminal server IP>' 4

Verify the session list for the user’s session.

diagnose sys session filter dst <webserver ip>
diagnose sys session list

If the src_port is different from the allocated port range in the packet capture and session list, the TS-Agent log needs to be checked, along with which process uses that specific source port range that is assigned to the user.

Terminal Server.
Use the Debug option button in the TS Agent to collect the user port allocation process.

An example of the error in the debug file:

10-22-2024 07:11:28 [00001790] Message WTS_REMOTE_CONNECT, session ID:31
10-22-2024 07:11:28 [00001790] Failed to get username for session ID:31
10-22-2024 07:11:30 [00001790] Message WTS_SESSION_LOGON, session ID:31
10-22-2024 07:11:30 [00001790] session ID:31, username: fortiuser, domain: FORTINET
10-22-2024 07:11:30 [00001790] session ID:31 has added to session table
10-22-2024 07:11:30 [00001790] succeeded to allocate port range 7671-7870 for session 31 

Use the command below in CMD or PowerShell to get the output:

Get-NetTCPConnection | sort-object owningprocess

 

Related documents:

Technical Tip: FSSO TS-Agent troubleshooting steps

FSSO Complete troubleshooting for TAC tickets