FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
matanaskovic
Staff
Staff

Description

 

This article describes why FortiGate cannot connect to FSSO Agent on Windows server 2019 and what is the issue.

 

Scope

 

FortiGate 7.2.1., FSSO Collector Agent.

 

Solution

 

External Connector on FortiGate 7.2.1 has been configured using FSSO Agent on Windows AD connector.

 

matanaskovic_0-1660919587463.png

 

The configuration was working, but suddenly FSSO communication between FortiGate and FSSO Collector Agent 5.0.0306 has stopped.

 

FortiGate connects to the Collector Agent by default via port TCP/8000. Verify the Collector Agent is listening on port TCP/8000 in the Windows Firewall.

 

matanaskovic_1-1660919620231.png

 

matanaskovic_2-1660919636954.png

 

From FortiGate, double check to see if the FSSO CA is listening and to additionally verify that is connected using telnet connection:

 

matanaskovic_3-1660919668489.png

 

Using debug command for verifying FSSO server status, “waiting for retry” can still be seen as the Connection Status.

 

matanaskovic_4-1660919694805.png

 

For further troubleshooting FSSO CA on Windows server, run debug application authd command.

 

# diagnose debug application authd -1
Debug messages will be on for 30 minutes.
photon-kvm12 (root) # diagnose debug enable
photon-kvm12 (root) # authd_timer_run: 2 expired
authd_epoll_work: timeout 5000
authd_timer_run: 1 expired
authd_epoll_work: timeout 990
authd_timer_run: 1 expired
authd_epoll_work: timeout 10000
authd_epoll_work: timeout 10000
Server challenge:
        f9 57 20 05 7a 00 6d 50 42 7b a5 48 02 5d cf 37
MD5 response:
        d5 08 03 a2 66 f1 ad 2b 0c 9a 6f 9b a5 d1 e9 1c
authd_epoll_work: timeout 9990
_process_auth[FSSO-Collector Agent]: server authentication failed, aborting
disconnect_server_only[FSSO-Collector Agent]: disconnecting
authd_epoll_work: timeout 9990
diag deb disaauthd_timer_run: 1 expired
authd_epoll_work: timeout 9980
authd_epoll_work: timeout 9980
Server challenge:

        19 58 fc 28 4b 3a 66 7c 2c 0e 09 62 96 56 76 45
MD5 response:

        73 b5 03 1b b8 64 21 c8 82 7e 8d 10 e6 2b c3 99
authd_epoll_work: timeout 9970
_process_auth[FSSO-Collector Agent]: server authentication failed, aborting
disconnect_server_only[FSSO-Collector Agent]: disconnecting
authd_epoll_work: timeout 9960

 

After trying to retype/change FSSO Agent password that is in use for communication between FortiGate and FSSO Collector Agent, finally communication is established.

 

The status is now “Connected” and can be verified once again using debug command.

 

matanaskovic_0-1661436846730.png

 

matanaskovic_5-1660919765998.png

 

Related KB articles:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-General-troubleshooting-for-FSSO/ta-p/2080...

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Useful-FSSO-Commands/ta-p/195830

Contributors