When using DUO with FortiClient, the VPN authentication might fail before the end user completes the DUO MFA push to their mobile or token device. This can result in a 'permission denied' error in FortiClient, followed by a DUO push notification that no longer functions.

It is possible to confirm specifically what is occurring by running an FNBAMD debug. Here are the commands to do that:

di de res

di de app fnbamd -1

di de en

To stop the debug:

dia de disable

dia de reset

Try to connect. The following is the expected output if the connection to the LDAP server is timing out:

2024-08-26 14:38:22 [594] __ldap_conn_timeout-Connction with LDAP:192.168.x.x timed out.
2024-08-26 14:38:22 [1642] __ldap_error-Ret 10, st = 3.
2024-08-26 14:38:22 [1679] __ldap_error-
2024-08-26 14:38:22 [1485] __ldap_tcps_close-closed.
2024-08-26 14:38:22 [1567] __ldap_conn_stop-Stop ldap conn timer.

This issue occurs because the 'ldapconntimeout' timer in the FortiGate is set too low, causing the authentication to expire before the DUO process finishes. To resolve this, increase the 'ldapconntimeout' timer (the default is 500 milliseconds) using the CLI command below:

config sys global
    set ldapconntimeout <in milliseconds>                             <- By default 500 milliseconds.
end

The value for 'ldapconntimeout' can be assigned between <1> to <300000>. After increasing the timer, it is advised to run several SSL VPN connection tests and fine-tune the timer value to best meet the needs of the VPN users.

Related article:
Technical Tip: Increase the LDAP query timeout