|
After configuring a RADIUS server on the FortiGate, the connection status is stuck at pending, and no errors are presented.
Troubleshooting further using a packet sniffer on port 1812 or 1813, as well as the fnbamd debug using the following command, there is no output observed.
Packet capture:
diagnose sniffer packet any "port 1812 or port 1813" 4 0 l
To start debugging:
diagnose debug reset
diagnose debug application fnbamd -1
diagnose debug enable
To stop debugging:
diagnose debug reset
diagnose debug disable
This issue can be caused by the 'fnbamd' daemon when it's displaying signs of high CPU utilization and could be stuck as a result. Verify the 'fnabmd' CPU usage using the following command:
FGT1 # diagnose sys top
Run Time: 5 days, 23 hours and 1 minutes
3U, 0N, 0S, 97I, 0WA, 0HI, 0SI, 0ST; 15554T, 12216F
fnbamd 31318 R 98.0 0.2 6
node 19006 S 2.5 0.5 7
bcm.user 1778 S < 2.5 0.2 4
lnkmtd 2218 S 0.5 0.4 5
newcli 31308 S 0.5 0.0 5
httpsd 31310 Z 0.5 0.0 2
wad 2327 S 0.0 0.8 2
wad 2328 S 0.0 0.8 4
wad 2326 S 0.0 0.8 1
wad 2322 S 0.0 0.8 0
Restarting the 'fnbamd' daemon can help to recover the daemon from its stuck state.
Steps to restart the 'fnbamd' process:
- First, confirm the process ID of the fnbamd daemon:
FGT1 # diagnose sys process pidof fnbamd
4225
-
Restart the daemon:
FGT1 # fnsysctl killall fnbamd
-
Confirm if the process ID has changed:
FGT1 # diagnose sys process pidof fnbamd
4247
Refer to this article for instructions on how to find and restart the process: Technical Tip: How to view, verify and kill the processes consuming more memory in the GUI.
Note:
This is just a temporary fix to recover the service, root cause of high CPU usage for the specific process must be investigated for a permanent solution. Possible scenarios can include brute force attacks using login to the SSL VPN service, but circumstances may vary.
|
