Have you guys encountered issue when you have an active-standby HA Units with FSSO enabled (FSSO agent on Domain Joint Machine)

My Setup Brief:

Code:5.4.2

FSSO Agent (Not DC Agent Directly get from fortinet support site): 5.0.0251

FSSO polling method: FSSO Agent Polling (Advanced mode, very important since I ran through a lot of reading said the new code required advanced mode rater standard which support older code like 5.2.x)

Agent Installed: 2012 r2 (2 Agents on the network)

DC: 2008 r2 (2DC on the network)

Network: all FSSO Agent Machine, DC are in same subnet, with an A-P HA Fortigate 600D also has the interface on DC,FSSO agent subnet

Agent is functional with logon user displayed around a 1000+ users

Issue:

When failover occur, FSSO Users on Firewall has almost the same amount of User ~9xx - 1xxx. After 5 - 10mins the user amount dropped to 1x~7X users and identity based policy stopped working.

Debug:

I tried this command

diag debug authd fsso list

It shows almost all users information on cli by the time the GUI only shown 1x~7X users

I ran through all this kb told (just use fsso for those command instead fase)

http://kb.fortinet.com/kb/viewContent.do?externalId=FD31819

Still no Luck

Workaround:

Glad that I am lucky to have a workaround for this situation.

Simply go to the FSSO agent GUI > show logon user > Clear User cache 

After another 5 - 10 mins, user will finally get back on firewall user GUI and the event log will not showing IPs but User name again.

If there are any solution or suggest required my partial configuration, I m happy to share.

But if that is the fact of FSSO working on HA pairs, will that be a big problem.

I m new to Fortigate so I may have mistake on configuration and please enlighten me.