Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Vishalv16
New Contributor

FSSO User random lose internet connectivity, internet worked after logout-login or Restart

We have 2 domain controller active & both having FSSO client installed as well as the collecter agent. The issue is few users facing random internet loss issues while working, it works fine after logout-login or restart. Note: these are mine finding 1) users are facing issues after a particular time like 8 hrs I assume that could be dead entry timeout in FSSO is 480 mins so I did change it 600 mins still there an issue. 2)also disable the group cache still having an issue 3)only one user is facing an issue sometime after 30-40 mins. 4)FSSO client which is actively connected to Fortigate is set as in Secondary FSSO in FortiGate Device. 5)one more thing I did not understand is some users are getting Status as not verified in one of the FSSO client login user details attached in the screenshot the same. am not able to understand what exactly the issue is, I have attached my FSSO client setting screenshot. Thanks in Advance Vishal  

[size="1"] FGT100E,FGT100D,FGT300C,FGT300E[/size] FortiOS 5.2, 5.4, 5.6,6.0,6.0.2 and 6.2

[size="1"] FGT100E,FGT100D,FGT300C,FGT300E[/size] FortiOS 5.2, 5.4, 5.6,6.0,6.0.2 and 6.2
4 REPLIES 4
ShawnZA
Contributor II

Are those ports still open on hte PC's that gets the Status not Verified?

 

Workstation verify interval

This determines the poll interval for the collector connecting to the workstation (via TCP 139, 445) to verify the user is still logged in. Therefore, the machine which is running the FSSO Collector must have firewall access to the workstations on TCP ports 139 and 445, and the workstation must have remote registry services running.

If you look within the “Show logon users” as shown below, you can see the users which are verified with status OK. Where the Status column displays “Not Verified”, this demonstrates that either;-

[ul]
  • The collector hasn’t yet checked to see the user is still logged on
  • The machine is still connected but does not have the appropriate ports open or accessible
  • The machine is no longer on the network and cannot be communicated with, e.g A laptop has been unplugged from the Ethernet cable and has been taken offsite.[/ul]

     

    https://forticheats.wordpress.com/2017/05/04/fortinet-fsso-architecture/

     

  • Vishalv16

    Thanks ShawnZA for the quick reply, the local firewall is off on all the computers so all ports are open, But but I suppose they don't have access to  WMI Service that I need to confirm with my server engineer. any possibilities for this issue to happen

    Note:- we have 2 DC & both have an FSSO client installed on secondary DC(this is set up as primary on Fortigate side)  I can see the status ok but on primary DC(this is currently connected to FortiGate firewall FortiGate to auth) for few its show not verified.

    [size="1"] FGT100E,FGT100D,FGT300C,FGT300E[/size] FortiOS 5.2, 5.4, 5.6,6.0,6.0.2 and 6.2

    [size="1"] FGT100E,FGT100D,FGT300C,FGT300E[/size] FortiOS 5.2, 5.4, 5.6,6.0,6.0.2 and 6.2
    Alivo__FTNT

    Hello Vishal,

     

    Further to what ShawnZA wrote:

     

    1.  One way to find out if "Not verified" is the issue is to set Dead Entry Timer to 0

    2.  Not much related

    3. What about logon override by service accounts?

     

    For example: user logs in to his pc with his domain logon, few minutes later a Antivirus updates its signatures using another account for it. Result: Original user not found anymore on that wkst. Remedy? Ignore list in Collector Agent for all service accounts

    4. does not mater at all just makes sure both Collector Agent have same config

    5. https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD31772&sliceId=...

    6. Extra point > DNS/DHCP issues (responsible for some 80% of FSSO issues not done by misconfig). Make sure the DNS servers have same IP addresses and are properly updated.

     

    Are users changing networks > wire x wireless?

    If yes, then point 6 could matter.

     

    Best Regards,

    Alivo

    livo

    Vishalv16

    Hi Alivo thanks for the information, 1. I can't do it as many users are active right now, I will try to do it on the weekend. 3. Multi-user PC are there but they don't log in at the same time, each user works in different shifts. (no 2 user login at the same time) 6. we only have a wired LAN network no wireless I will let you know if i found anything else Thanks Vishal

    [size="1"] FGT100E,FGT100D,FGT300C,FGT300E[/size] FortiOS 5.2, 5.4, 5.6,6.0,6.0.2 and 6.2

    [size="1"] FGT100E,FGT100D,FGT300C,FGT300E[/size] FortiOS 5.2, 5.4, 5.6,6.0,6.0.2 and 6.2
    Labels
    Top Kudoed Authors