Hi,
I'm managing 30 branches, all connected via MPLS and running FGTs as firewalls.
There's a main site with a DC (10.7.7.80).
I wanted to authenticate fortigate administrators via LDAPS and use their AD accounts for login.
However, it is working in some of the sites, and not working on the rest.
If i check the logs on the main site, I can see the packet is accepted
but I can also see this session timeout if I click on this line of log:
Some of the FGTs are able to contact the DC, when I look on their logs, it looks the same just without this "session timeout".
I tried to increase the ldap query timeout on appliances which have this problem:
set remoteauthtimeout 15
set ldapconntimeout 8000
but still the same.
Will appreciate any help and advices.
Thanks!
Solved! Go to Solution.
You right sir.
I already fixed it, I thought I have locked this post.
Thanks you
Hi, You can try the debugging mentioned in the below KB for additional details when the login fails.
# diag debug enable
# diag debug application fnbamd -1
// Try login which fails//
# diag debug disable
Hi. Could it be so that not all the "WAN link" subnets in MPLS are "known"/distributed in routing? Test to ping the AD server from a failing firewall. If problem, try to add a "source-ip" in CLI for the LDAP config using one of the LAN interface IPs. /Conny
source-ip works in many cases.
You right sir.
I already fixed it, I thought I have locked this post.
Thanks you
adding source-ip to the ldap config fixed it for me too.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.