FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jguerra
Staff
Staff
Article Id 338512
Description This article describes how to resolve SSL VPN authentication errors that occur before completing the DUO 2FA push.
Scope

FortiClient, DUO.

Solution

When using DUO with FortiClient, the VPN authentication might fail before the end user completes the DUO MFA push to their mobile or token device. This can result in a 'permission denied' error in FortiClient, followed by a DUO push notification that no longer functions.

 

This issue occurs because the 'ldapconntimeout' timer in the FortiGate is set too low, causing the authentication to expire before the DUO process finishes. To resolve this, increase the 'ldapconntimeout' timer (the default is 500 milliseconds) using the CLI command below:

 

config sys global
    set ldapconntimeout <in milliseconds>                             <- By default 500 milliseconds.
end


After increasing the timer, it is advised to run several SSL VPN connection tests and fine-tune the timer value to best meet the needs of the VPN users.

 

Related article:
Technical Tip: Increase the LDAP query timeout 

Comments
MaryBolano
Staff
Staff

Great, thank you @jguerra !

lpedraza
Staff
Staff

Well done @jguerra and @MaryBolano First KA of the month! I encourage you et al to keep up the good work! 

 

Contributors