Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
smkml
Staff
Staff

Created on ‎03-31-2023 01:44 AM

Article Id 250941

Troubleshooting Tip: Error "recv failed: timeout" for Radius authentication

Description This article describes how to resolve an authentication failure issue using a Radius server as remote authentication in FortiManager/FortiAnalyzer. Debugging shows the error 'recv failed: timeout', followed by 'auth result: denied'.
Scope FortiAnalyzer, FortiManager, Radius Server.
Solution

Before taking the steps in this article, confirm that there is no configuration issue on both sides by verifying configuration details. For example, successfully log in using the same user credentials on FortiGate. 

 

To troubleshoot configuration, refer to the following article:

https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-Configure-RADIUS-for-authentication-an...

 

Troubleshooting:

 

Enable the debug command in the CLI:

 

# diag debug application auth 255  

# diag debug timestamp enable

# diag debug enable

 

Attempt another login.

The expected debug output with this error is as follows:

 

2023-03-31 16:19:29 s23: auth request: user=user1 from=GUI(x.x.x.x)
2023-03-31 16:19:29 s23: wildcard admin: fmguser
2023-03-31 16:19:29 s23: start radius: test
2023-03-31 16:19:29 s23:test: connect to server 0: x.x.x.x ip=x.x.x.x port=1812
2023-03-31 16:19:29 s23:test: send request: type=pap id=8
2023-03-31 16:19:34 s23:test: recv failed: timeout
2023-03-31 16:19:34 s23:test: connect to server 1: x.x.x.x ip=x.x.x.x port=1812
2023-03-31 16:19:34 s23:test: send request: type=pap id=9
2023-03-31 16:19:39 s23: timeout
2023-03-31 16:19:39 s23: auth result: denied

 

Note that the timeout occurs after 5 seconds:

 

2023-03-31 16:19:29 s23:test: send request: type=pap id=8
2023-03-31 16:19:34 s23:test: recv failed: timeout

 

The currently default logic for the timeout is that it occurs after 10 seconds for the entire login process. If a secondary server is configured, there is a 5 second timeout for each server. The error covered by this article primarily occurs due to a premature timeout, which can be fixed by increasing the timeout period.

 

To increase the request timeout period, configure the following global settings in the CLI:

 

# config system global

set remoteauthtimeout <integer value>

 

Afterwards, the connection should succeed and the debug output will appear similar to the following:

 

2023-03-31 16:33:01 s25: auth request: user=user1 from=GUI(x.x.x.x)
2023-03-31 16:33:01 s25: wildcard admin: fmguser
2023-03-31 16:33:01 s25: start radius: test
2023-03-31 16:33:01 s25:test: connect to server 0: x.x.x.x ip=x.x.x.x port=1812
2023-03-31 16:33:01 s25:test: send request: type=pap id=10
2023-03-31 16:33:01 s25:test: got reply: code=accept(2) id=10
2023-03-31 16:33:01 s25:test: success
2023-03-31 16:33:01 s25: wildcard admin matched: fmguser
2023-03-31 16:33:01 s25: auth result: success
288
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.