I have a 300C cluster in active-active config running 5.2.13
AT one stage, my CPU usage constantly stays at 99%, rarely dropping. This was for about 2 years.
I tried firmware upgrades from 5.2.2 -> 5.2.9 ->5.2.13. Nothing worked.
I checked the CPU usage via cli and saw authd taking up more that 50-60% . In total my usage was 99%.
I unticked NTLM authentication on the 3 FSSO Agents. No effect.
I ran some commands under config user setting;
I increased auth-blackout-time to 300 -> that helped to bring the CPU usage down to around 50-70% total BUT I still experience the 2nd issue. NOT all my domain users are granted internet access even though they are listed in the FSSO Agent logon users list AND on FortiGate under the users passed to FortiGate by the FSSO Agent. I have 3 DCs and FSSO Agent on all of them in sync, FSSO Agents running with DC-Agents and Advanced Directory Access mode.
They exhibit the same behavior, they cannot access the authentication portal on port 1000/1003 even though they can telnet the FortiGate IP on that port. Just throws up a Page Cannot be displayed error. Some I get to work by releasing/renewing their IP via IP config command. Some eventually brings up the authentication page after a long time. Others just refuse. I noticed that if the affected user logs onto another domain machine, everything is fine BUT if any user tried to login the affected machine, they experience the same issue.
I logged a ticket with Fortinet Support but they couldn't assist me:
They said I must upgrade to Firmware 5.2.15, I am not sure that will help as they didn't checked for the FSSO issues, as high CPU usage by authd clearly shows that the issue might be related to FSSO. My point is, this issue remained over 3 different firmware versions, what guarantee will I have it being fixed in the latest one. I think my FSSO config might be the issue.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
if you state you do have FSSO working then why do you mix passive auth via FSSO with active authentication via NTLM ? Ports 1000/1003 are used by FGT as destination where to redirect client (portal) for active authentication. Redirect also contain additional parameters to identify and distinguish between sessions. It is not expected to be used directly.
Maybe check your auth setup and simplify it if possible.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1711 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.