Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
seanmd
New Contributor II

FortiGate 80F and MFA Issues

It's been nearly a year since I moved from Cisco to Fortinet and I have to say MFA is extremely buggy. Currently running v7.4.1 build2463. We are using LDAP to create our user accounts and then add the user into a local user group on the FortiGate, then finally enabling two-factor. We will run into issues where a user will be entering in the correct username, password, and MFA token but a (using FortiTokens) message like VPN server is unreachable is thrown on the client side. I've tried debugging with no luck and I've also had a few tickets opened with support and once again no resolution. Starting to think I should have never switched to Fortinet. The only fix we can come up with is to disable MFA and then reboot the device and then the user can finally connect but only using only password authentication. Has anyone else dealt with this issue and if so what was your fix? I can't be the only one with this problem. Thanks in advance!

Sean Donnelly
Sean Donnelly
11 REPLIES 11
akumar02
Staff
Staff

Hello Sean,

I am sorry to hear about your experience with MFA. 
Did you try to increase the remoteauthtimeout on Fortigate?
# config system global
    set remoteauthtimeout <1-300s>
end
The default timer is 5 seconds only and if you are using the Remote users to authenticate with Fortitoken, the athentication can timeout. 
Kindly refer to this article for reference:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-and-two-factor-expiry-timers....

I would also recommend testing with your Fortigates Local Users as well. 

Best Regards,
. . . . . . . . . . . . . . . . . . . . . . . .
Arun Kumar | TAC Engineer II
FORTINET TAC - America EAST
NSE Certified: FCA, FCF, FCP-NS, FCSS-NS
Office Hours: 9AM-6PM EST (Tue-Sat)
Contact: https://fortinet.com/support-and-training/support/contact.html
Community Forum: https://community.fortinet.com
# Is there anything Fortinet could have assisted with further, better, or differently?
# Simply request a Manager follow-up
seanmd
New Contributor II

Thank you I believe I did this along with username sensitivity set to disable. I will check right now and report back.

Sean Donnelly
Sean Donnelly
akumar02

Thank you. Kindly keep us posted. 

Best Regards,
. . . . . . . . . . . . . . . . . . . . . . . .
Arun Kumar | TAC Engineer II
FORTINET TAC - America EAST
NSE Certified: FCA, FCF, FCP-NS, FCSS-NS
Office Hours: 9AM-6PM EST (Tue-Sat)
Contact: https://fortinet.com/support-and-training/support/contact.html
Community Forum: https://community.fortinet.com
# Is there anything Fortinet could have assisted with further, better, or differently?
# Simply request a Manager follow-up
seanmd
New Contributor II

I think this is good?

2024-01-04 11_28_54-FortiGate - RRK-Fortigate-2.png

Sean Donnelly
Sean Donnelly
akumar02
Staff
Staff

Yes, this looks good. now you can test it.
I wonder if you have Webmode in SSL VPN as well. Just in case this is something related to the FortiClient only. You can test your user in SSL VPN Web mode.
----

Arun

Best Regards,
. . . . . . . . . . . . . . . . . . . . . . . .
Arun Kumar | TAC Engineer II
FORTINET TAC - America EAST
NSE Certified: FCA, FCF, FCP-NS, FCSS-NS
Office Hours: 9AM-6PM EST (Tue-Sat)
Contact: https://fortinet.com/support-and-training/support/contact.html
Community Forum: https://community.fortinet.com
# Is there anything Fortinet could have assisted with further, better, or differently?
# Simply request a Manager follow-up
Sheikh
Staff
Staff

Hello @seanmd ,

 

The values looks fine. Please also check the latency between Fortigate and domain controllers; if they are on the same site then these values should be fine. Moreover, these debugs will help you see what is happening during authentication.

 

diagnose debug console timestamp enable

diagnose debug app fnbamdd -1

diagnose debug app sslvpn -1

diagnose debug enable

 

****reproduce the issue****

 

regards,

 

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
seanmd
New Contributor II

Thank you! I will reach out to the user who was having problems this morning and I will turn two-factor back on and test with him. The web mode SSLVPN is disabled per our cyber insurance.

Sean Donnelly
Sean Donnelly
seanmd
New Contributor II

No issues with latency to my DC's

 

PING 192.168.1.12 (192.168.1.12): 56 data bytes
64 bytes from 192.168.1.12: icmp_seq=0 ttl=128 time=0.3 ms
64 bytes from 192.168.1.12: icmp_seq=1 ttl=128 time=3.3 ms
64 bytes from 192.168.1.12: icmp_seq=2 ttl=128 time=0.3 ms
64 bytes from 192.168.1.12: icmp_seq=3 ttl=128 time=0.2 ms
^[[A64 bytes from 192.168.1.12: icmp_seq=4 ttl=128 time=0.2 ms

--- 192.168.1.12 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.8/3.3 ms

RRK-Fortigate-2 # execute ping 192.168.1.99
PING 192.168.1.99 (192.168.1.99): 56 data bytes
64 bytes from 192.168.1.99: icmp_seq=0 ttl=128 time=0.2 ms
64 bytes from 192.168.1.99: icmp_seq=1 ttl=128 time=0.3 ms
64 bytes from 192.168.1.99: icmp_seq=2 ttl=128 time=0.2 ms
64 bytes from 192.168.1.99: icmp_seq=3 ttl=128 time=0.3 ms
64 bytes from 192.168.1.99: icmp_seq=4 ttl=128 time=0.2 ms

Sean Donnelly
Sean Donnelly
Sheikh
Staff
Staff

Hello @seanmd 

This looks fine, you can try to increase the "remoteauthtimeout" value and also check the output of debugs.

 

regards,

 

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors