Troubleshooting Tip: Error "recv failed: timeout" for Radius authentication

smkml · ‎03-31-2023

Description

This article describes how to resolve an authentication failure issue using a Radius server as remote authentication in FortiManager/FortiAnalyzer. Debugging shows the error 'recv failed: timeout', followed by 'auth result: denied'.

Scope

FortiAnalyzer, FortiManager, Radius Server.

Solution

Before taking the steps in this article, confirm that there is no configuration issue on both sides by verifying configuration details. For example, successfully log in using the same user credentials on FortiGate.

To troubleshoot configuration, refer to the following article:

https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-Configure-RADIUS-for-authentication-an...

Troubleshooting:

Enable the debug command in the CLI:

# diag debug application auth 255

# diag debug timestamp enable

# diag debug enable

Attempt another login.

The expected debug output with this error is as follows:

2023-03-31 16:19:29 s23: auth request: user=user1 from=GUI(x.x.x.x)
2023-03-31 16:19:29 s23: wildcard admin: fmguser
2023-03-31 16:19:29 s23: start radius: test
2023-03-31 16:19:29 s23:test: connect to server 0: x.x.x.x ip=x.x.x.x port=1812
2023-03-31 16:19:29 s23:test: send request: type=pap id=8
2023-03-31 16:19:34 s23:test: recv failed: timeout
2023-03-31 16:19:34 s23:test: connect to server 1: x.x.x.x ip=x.x.x.x port=1812
2023-03-31 16:19:34 s23:test: send request: type=pap id=9
2023-03-31 16:19:39 s23: timeout
2023-03-31 16:19:39 s23: auth result: denied

Note that the timeout occurs after 5 seconds:

2023-03-31 16:19:29 s23:test: send request: type=pap id=8
2023-03-31 16:19:34 s23:test: recv failed: timeout

The currently default logic for the timeout is that it occurs after 10 seconds for the entire login process. If a secondary server is configured, there is a 5 second timeout for each server. The error covered by this article primarily occurs due to a premature timeout, which can be fixed by increasing the timeout period.

To increase the request timeout period, configure the following global settings in the CLI:

# config system global

set remoteauthtimeout <integer value>

Afterwards, the connection should succeed and the debug output will appear similar to the following:

2023-03-31 16:33:01 s25: auth request: user=user1 from=GUI(x.x.x.x)
2023-03-31 16:33:01 s25: wildcard admin: fmguser
2023-03-31 16:33:01 s25: start radius: test
2023-03-31 16:33:01 s25:test: connect to server 0: x.x.x.x ip=x.x.x.x port=1812
2023-03-31 16:33:01 s25:test: send request: type=pap id=10
2023-03-31 16:33:01 s25:test: got reply: code=accept(2) id=10
2023-03-31 16:33:01 s25:test: success
2023-03-31 16:33:01 s25: wildcard admin matched: fmguser
2023-03-31 16:33:01 s25: auth result: success