Can't contact LDAP server

spanz · ‎11-24-2021

Hi,

I'm managing 30 branches, all connected via MPLS and running FGTs as firewalls.

There's a main site with a DC (10.7.7.80).

I wanted to authenticate fortigate administrators via LDAPS and use their AD accounts for login.

However, it is working in some of the sites, and not working on the rest.

If i check the logs on the main site, I can see the packet is accepted

but I can also see this session timeout if I click on this line of log:

Some of the FGTs are able to contact the DC, when I look on their logs, it looks the same just without this "session timeout".

I tried to increase the ldap query timeout on appliances which have this problem:

set remoteauthtimeout 15

set ldapconntimeout 8000

but still the same.

Will appreciate any help and advices.

Thanks!

spanz · ‎11-28-2021

You right sir.

I already fixed it, I thought I have locked this post.

Thanks you

View solution in original post

Shivasagar · ‎11-24-2021

Hi, You can try the debugging mentioned in the below KB for additional details when the login fails.

https://community.fortinet.com/t5/FortiGate/Technical-tip-How-to-create-administrators-which-can-be/...

# diag debug enable
# diag debug application fnbamd -1

// Try login which fails//

# diag debug disable

ConnyGustavsson · ‎11-26-2021

Hi. Could it be so that not all the "WAN link" subnets in MPLS are "known"/distributed in routing? Test to ping the AD server from a failing firewall. If problem, try to add a "source-ip" in CLI for the LDAP config using one of the LAN interface IPs. /Conny

cogus

The_Physicist · ‎11-26-2021

source-ip works in many cases.

spanz · ‎11-28-2021

You right sir.

I already fixed it, I thought I have locked this post.

Thanks you

gixxerlegend · ‎10-17-2024

adding source-ip to the ldap config fixed it for me too.

Can't contact LDAP server

Nominate a Forum Post for Knowledge Article Creation