FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Hassan09
Staff
Staff
Article Id 286891
Description This article describes and addresses challenges users may encounter when attempting to log in with TACACS+ on FortiGate due to connectivity issues. The solution involves adjusting the connection timeout to accommodate scenarios where the TACACS+ server is not directly linked to FortiGate, resulting in potential delays and login failures.
Scope FortiGate.
Solution

Users sometimes experience login difficulties with TACACS+ on FortiGate, often attributed to a connection timeout of 500 milliseconds. In cases where the TACACS+ server is not in direct proximity to FortiGate, delays in communication paths can lead to query timeouts, rendering the server unreachable.

 

Given that the FortiGate device has a connection timeout set to 500 milliseconds and, considering the behavior observed in the below packet capture, it is possible that the connection to the TACACS+ server is timing out before a successful completion:

 

2023-11-21 13:22:03.510519 test out 10.1.1.1.6042 -> 192.168.1.100.49: syn 888430595
2023-11-21 13:22:04.328091 test in 192.168.1.100.49 -> 10.1.1.1.6042: syn 2781533727 ack 888430596
2023-11-21 13:22:04.328146 test out 10.1.1.1.6042 -> 192.168.1.100.49: rst 888430596

 

Below is a breakdown of the relevant packet capture details:

 

Outgoing SYN Packet from FortiGate to TACACS+ Server (First Authentication Attempt):


Timestamp: 2023-11-21 13:22:03.510519
Action: FortiGate initiates a TCP connection (SYN) to the TACACS+ server on port 49.

 

Incoming SYN-ACK Packet from TACACS+ Server to FortiGate:


Timestamp: 2023-11-21 13:22:04.328091
Action: TACACS+ server responds with a SYN-ACK, acknowledging the connection request.

 

Outgoing RST Packet from FortiGate to TACACS+ Server (Resetting Connection):


Timestamp: 2023-11-21 13:22:04.328146
Action: FortiGate sends a reset (RST) packet, indicating an unexpected termination of the connection.

 

Given the short timeframe between the SYN packet and the RST packet (less than a second), it is likely that the FortiGate device is enforcing its 500-millisecond connection timeout.

 

Time Difference=Timestamp of SYN-ACK−Timestamp of SYN:

 

Time Difference =2023/11/21 13:22:04.328091 − 2023/11/21 13:22:03.510519

Time Difference =0.817572 seconds

 

So, the time difference between the SYN packet and the SYN-ACK packet is approximately 0.82 seconds, which is greater than 500 milliseconds (0.5). This suggests that the extended connection timeout of 2000 milliseconds (2 seconds) allowed the FortiGate device to wait for the SYN-ACK response from the TACACS+ server without prematurely terminating the connection.

 

Implementation steps:


Follow the steps below to adjust the connection timeout:

 

conf sys global

set ldapconntimeout 2000

end


In the above, the connection timeout for TACACS+ is extended to 2000 milliseconds (2 seconds), improving the chances of successful user access.