Created on 11-30-2023 05:46 AM Edited on 11-13-2024 07:12 AM By Jean-Philippe_P
Description | This article describes and addresses challenges users may encounter when attempting to log in with TACACS+ on FortiGate due to connectivity issues. The solution involves adjusting the connection timeout to accommodate scenarios where the TACACS+ server is not directly linked to FortiGate, resulting in potential delays and login failures. |
Scope | FortiGate. |
Solution |
Users sometimes experience login difficulties with TACACS+ on FortiGate, often attributed to a connection timeout of 500 milliseconds. In cases where the TACACS+ server is not in direct proximity to FortiGate, delays in communication paths can lead to query timeouts, rendering the server unreachable.
Given that the FortiGate device has a connection timeout set to 500 milliseconds and, considering the behavior observed in the below packet capture, it is possible that the connection to the TACACS+ server is timing out before a successful completion:
2023-11-21 13:22:03.510519 test out 10.1.1.1.6042 -> 192.168.1.100.49: syn 888430595
Below is a breakdown of the relevant packet capture details:
Outgoing SYN Packet from FortiGate to TACACS+ Server (First Authentication Attempt):
Incoming SYN-ACK Packet from TACACS+ Server to FortiGate:
Outgoing RST Packet from FortiGate to TACACS+ Server (Resetting Connection):
Given the short timeframe between the SYN packet and the RST packet (less than a second), it is likely that the FortiGate device is enforcing its 500-millisecond connection timeout.
Time Difference=Timestamp of SYN-ACK−Timestamp of SYN:
Time Difference =2023/11/21 13:22:04.328091 − 2023/11/21 13:22:03.510519 Time Difference =0.817572 seconds
So, the time difference between the SYN packet and the SYN-ACK packet is approximately 0.82 seconds, which is greater than 500 milliseconds (0.5). This suggests that the extended connection timeout of 2000 milliseconds (2 seconds) allowed the FortiGate device to wait for the SYN-ACK response from the TACACS+ server without prematurely terminating the connection.
Implementation steps:
conf sys global set ldapconntimeout 2000 end
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.