Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rezafathi
Contributor II

FSSO users disconnects frequently

Hi

 

I give my users access to internet based on their FSSO credentials from AD but i think login session disconnects after 15 min and the user should sign out and sign in again in order to access the internet. how can I solve this issue?

Reza F.
Reza F.
12 REPLIES 12
AEK
SuperUser
SuperUser

Hi Reza

I hope the following can help:

AEK
AEK
AntonyChen
New Contributor III

show the the config 

type

config user setting

then
show full configuration

rezafathi

config user setting
set auth-type http https ftp telnet
set auth-cert "Fortinet_Factory"
set auth-ca-cert ''
set auth-secure-http disable
set auth-http-basic disable
set auth-ssl-allow-renegotiation disable
set auth-src-mac enable
set auth-on-demand implicitly
set auth-timeout 5
set auth-timeout-type idle-timeout
set auth-portal-timeout 3
set radius-ses-timeout-act hard-timeout
set auth-blackout-time 0
set auth-invalid-max 5
set auth-lockout-threshold 3
set auth-lockout-duration 0
set per-policy-disclaimer disable
set auth-ssl-min-proto-version default
unset auth-ssl-max-proto-version
set auth-ssl-sigalgs all
set default-user-password-policy ''
end

Reza F.
Reza F.
dbu

I see you have "auth-timeout 5" which forces user to re authenticate every 5 minutes. Is the disconnect really happening every 15 or in 5 minutes ? 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explanation-of-auth-timeout-types-for-Fire...

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
rezafathi
Contributor II

The setting you are mentioning is for firewall users not fsso users. I am using fsso. How can i set time out for fsso users? 

Reza F.
Reza F.
AntonyChen
New Contributor III

If you use fsso this is for ad or fsso agent

config user fsso
    edit "xxxx"
        set logon-timeout xx
    next


default is 5 minutes, but arccoding to fortinet
The logon-timeout option is used to manage how long authenticated FSSO users on the FortiGate will remain on the list of authenticated FSSO users when a network connection to the collector agent is lost.

in my network i use fsso single signon with collector agent (previous i use Ad polling but this is not stable and use high resource on firewall)
and if you continue to use the pc , no timeout 
also on fsso-polling  the default timeout is 8 hour
config user fsso-polling
    edit 1
        set logon-history <int> (0-48)
    next
end

Pls check again your config

rezafathi

Hi,

 

i set the logon-timeout to 120 min but still i am disconnecting every 5 minutes.

Reza F.
Reza F.
AEK
SuperUser
SuperUser

Hi

First you have to know if the issue is on FG or on the FSSO agent.

To check that, see if the disconnected users are still visible on the FSSO agent.

Open FSSO agent console and click the "show logon users" button, then see if the disconnected users are listed there or not. If they are not listed then the issue is on FSSO agent.

AEK
AEK
rezafathi
Contributor II

Hi

In show logon users i can not see logged out user. What would be the problem?

Reza F.
Reza F.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors