Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SFW
New Contributor

Created on ā€Ž07-17-2025 05:10 AM Edited on ā€Ž07-17-2025 05:12 AM

Active Directory Connector cannot connect but the LDAP is connected is successfully

FortiGate-81F # diagnose debug fsso-polling detail
AD Server Status(err: server can not be accessible):
ID=1, name(172.18.0.1),ip=172.18.0.1, port=0, source(security), users(IPv4:0, IPv6:0),
username=swd\lcloperator2
read log eof=0, latest logon timestamp: Thu Jan 1 03:00:00 1970

polling frequency: every 10 second(s), success(0), fail(106)
LDAP status: init

LDAP query: success(0), fail(0)
LDAP max group query period(seconds): 0


this is branch location firewall the AD is in DC location 
also i checked the Fortinet documents but still i didn't find any solution 
can you please help me on this 

Note: Agentless polling mode

Labels:
470
0 Kudos
1 Solution
sjoshi
Staff
Staff

Created on ā€Ž07-20-2025 02:41 AM

Hi,

 

Please refer below article and follow the tshoot steps:-

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-FSSO-agentless-p...

 

You may share the sniff.

Check communication between FortiGate and the DC on TCP port 445.

 

diagnose sniffer packet any "host <DC IP> and port 445" 4 0 a

 

Also how branch FGT is communicating with the DC FGT via IPSEC TNL? 

If you have found a solution, please like and accept it to make it easily accessible to others.
Fortinet Certified Expert (FCX) | #NSE8-003459
Salon Raj Joshi

View solution in original post

348
12 REPLIES 12
AEK
SuperUser
SuperUser

Created on ā€Ž07-17-2025 06:58 AM

Your FGT seems not able to connect to your DC.

Go to menu User & Device > LDAP Server, then edit the related LDAP server config.

You will probably find "Connection status: Can't contact LDAP server".

You will need to fix this before doing FSSO.

AEK
AEK
374
0 Kudos
SFW
New Contributor
In response to AEK

Created on ā€Ž07-20-2025 12:19 AM

 

Screenshot 2025-07-20 101648.png

 

its showing Connection is Success but the external is not connected 

 

336
0 Kudos
sjoshi
Staff
Staff

Created on ā€Ž07-20-2025 02:41 AM

Hi,

 

Please refer below article and follow the tshoot steps:-

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-FSSO-agentless-p...

 

You may share the sniff.

Check communication between FortiGate and the DC on TCP port 445.

 

diagnose sniffer packet any "host <DC IP> and port 445" 4 0 a

 

Also how branch FGT is communicating with the DC FGT via IPSEC TNL? 

If you have found a solution, please like and accept it to make it easily accessible to others.
Fortinet Certified Expert (FCX) | #NSE8-003459
Salon Raj Joshi
349
SFW
New Contributor
In response to sjoshi

Created on ā€Ž07-21-2025 06:02 AM Edited on ā€Ž07-21-2025 06:04 AM

Note:-Yes its via IPSEC TNL its Dailup VPN we created 

 

 

RBH-FGT1 # diagnose sniffer packet any "host 172.18.0.1 and port 445" 4
interfaces=[any]
filters=[host 172.18.0.1 and port 445]
6.889776 RABIK_TO_HUB1 out 192.168.2.83.10040 -> 172.18.0.1.445: syn 2697289446
7.887064 RABIK_TO_HUB1 out 192.168.2.83.10040 -> 172.18.0.1.445: syn 2697289446
9.887067 RABIK_TO_HUB1 out 192.168.2.83.10040 -> 172.18.0.1.445: syn 2697289446
^C
3 packets received by filter
0 packets dropped by kernel


271
0 Kudos
sjoshi
Staff
Staff
In response to SFW

Created on ā€Ž07-21-2025 06:40 AM

from the pcap shown here the traffic is leaving the branch FGT but there is no response back.you can take same sniff on the HUB FGT and see if it is receiving the traffic and replying back 

Verify firewall policy on hub side

If you have found a solution, please like and accept it to make it easily accessible to others.
Fortinet Certified Expert (FCX) | #NSE8-003459
Salon Raj Joshi
238
0 Kudos
AEK
SuperUser
SuperUser

Created on ā€Ž07-21-2025 05:57 AM

Which FortiOS version?

AEK
AEK
290
0 Kudos
SFW
New Contributor
In response to AEK

Created on ā€Ž07-21-2025 06:00 AM

7.4.7

280
0 Kudos
AEK
SuperUser
SuperUser
In response to SFW

Created on ā€Ž07-21-2025 06:07 AM

I see you are are using IP in the LDAP server config.

Can you try use hostname with certificate instead?

AEK
AEK
266
0 Kudos
SFW
New Contributor
In response to AEK

Created on ā€Ž07-21-2025 06:11 AM

LDAP connection is success but the External AD communication is not working 

 

Screenshot 2025-07-21 160950.png

259
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.