Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
spanz
New Contributor III

Can't contact LDAP server

Hi,

I'm managing 30 branches, all connected via MPLS and running FGTs as firewalls.

There's a main site with a DC (10.7.7.80).

I wanted to authenticate fortigate administrators via LDAPS and use their AD accounts for login.

However, it is working in some of the sites, and not working on the rest.

 

If i check the logs on the main site, I can see the packet is accepted

spanz_0-1637742221511.png

but I can also see this session timeout if I click on this line of log:

spanz_1-1637742288015.png

Some of the FGTs are able to contact the DC, when I look on their logs, it looks the same just without this "session timeout".

 

I tried to increase the ldap query timeout on appliances which have this problem:

 set remoteauthtimeout 15

 set ldapconntimeout 8000

 

but still the same.

 

Will appreciate any help and advices.

 

Thanks!

 

 

1 Solution
spanz

You right sir.

I already fixed it, I thought I have locked this post.

 

Thanks you

View solution in original post

4 REPLIES 4
Shivasagar
Staff
Staff

Hi, You can try the debugging mentioned in the below KB for additional details when the login fails.

https://community.fortinet.com/t5/FortiGate/Technical-tip-How-to-create-administrators-which-can-be/...

 

# diag debug enable
# diag debug application fnbamd -1

// Try login which fails//

# diag debug disable

ConnyGustavsson

Hi. Could it be so that not all the "WAN link" subnets in MPLS are "known"/distributed in routing? Test to ping the AD server from a failing firewall. If problem, try to add a "source-ip" in CLI for the LDAP config using one of the LAN interface IPs. /Conny

cogus
The_Physicist

source-ip works in many cases.

spanz

You right sir.

I already fixed it, I thought I have locked this post.

 

Thanks you