Description | This article describes the issue when upgrading to 7.2.9 and the 2FA is not working. |
Scope | FortiGate 7.2.9. |
Solution |
When using 2FA for SSL VPN users, the window to accept the token code will be 30 seconds by default, however, this timer will not apply to the following 2FA types: 'Ftk/email/sms/Fac' for this token type it will follow the timers configured in the global system.
Related article: SSL VPN and two-factor expiry timers
The issue that causes the 2FA to fail is the SSL VPN will close the session in 30 seconds, it will not follow the correct timers for each token type.
The next is an example for FortiToken and local users.
FortiGate values for SSL VPN timeout and global timeouts for each 2fa token.
FGVM04TM24003657 (settings) # get | grep timeout
In the Debug commands, it closes the session before the timeout of the token:
2024-08-31 16:19:30 [2343:root:c]allocSSLConn:310 sconn 0x7f064f855800 (0:root) -------------> Session created.
When the user introduces the token after 30 seconds the error will show, not session info.
2024-08-31 16:20:33 [2342:root:d]rmt_web_auth_info_parser_common:525 no session id in auth info
Note: Open a ticket with TAC to request more information about this issue. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.