It's been nearly a year since I moved from Cisco to Fortinet and I have to say MFA is extremely buggy. Currently running v7.4.1 build2463. We are using LDAP to create our user accounts and then add the user into a local user group on the FortiGate, then finally enabling two-factor. We will run into issues where a user will be entering in the correct username, password, and MFA token but a (using FortiTokens) message like VPN server is unreachable is thrown on the client side. I've tried debugging with no luck and I've also had a few tickets opened with support and once again no resolution. Starting to think I should have never switched to Fortinet. The only fix we can come up with is to disable MFA and then reboot the device and then the user can finally connect but only using only password authentication. Has anyone else dealt with this issue and if so what was your fix? I can't be the only one with this problem. Thanks in advance!
Hello Sean,
I am sorry to hear about your experience with MFA.
Did you try to increase the remoteauthtimeout on Fortigate?
# config system global
set remoteauthtimeout <1-300s>
end
The default timer is 5 seconds only and if you are using the Remote users to authenticate with Fortitoken, the athentication can timeout.
Kindly refer to this article for reference:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-and-two-factor-expiry-timers....
I would also recommend testing with your Fortigates Local Users as well.
Thank you I believe I did this along with username sensitivity set to disable. I will check right now and report back.
Thank you. Kindly keep us posted.
I think this is good?
Yes, this looks good. now you can test it.
I wonder if you have Webmode in SSL VPN as well. Just in case this is something related to the FortiClient only. You can test your user in SSL VPN Web mode.
----
Arun
Hello @seanmd ,
The values looks fine. Please also check the latency between Fortigate and domain controllers; if they are on the same site then these values should be fine. Moreover, these debugs will help you see what is happening during authentication.
diagnose debug console timestamp enable
diagnose debug app fnbamdd -1
diagnose debug app sslvpn -1
diagnose debug enable
****reproduce the issue****
regards,
Sheikh
Thank you! I will reach out to the user who was having problems this morning and I will turn two-factor back on and test with him. The web mode SSLVPN is disabled per our cyber insurance.
No issues with latency to my DC's
PING 192.168.1.12 (192.168.1.12): 56 data bytes
64 bytes from 192.168.1.12: icmp_seq=0 ttl=128 time=0.3 ms
64 bytes from 192.168.1.12: icmp_seq=1 ttl=128 time=3.3 ms
64 bytes from 192.168.1.12: icmp_seq=2 ttl=128 time=0.3 ms
64 bytes from 192.168.1.12: icmp_seq=3 ttl=128 time=0.2 ms
^[[A64 bytes from 192.168.1.12: icmp_seq=4 ttl=128 time=0.2 ms
--- 192.168.1.12 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.8/3.3 ms
RRK-Fortigate-2 # execute ping 192.168.1.99
PING 192.168.1.99 (192.168.1.99): 56 data bytes
64 bytes from 192.168.1.99: icmp_seq=0 ttl=128 time=0.2 ms
64 bytes from 192.168.1.99: icmp_seq=1 ttl=128 time=0.3 ms
64 bytes from 192.168.1.99: icmp_seq=2 ttl=128 time=0.2 ms
64 bytes from 192.168.1.99: icmp_seq=3 ttl=128 time=0.3 ms
64 bytes from 192.168.1.99: icmp_seq=4 ttl=128 time=0.2 ms
Hello @seanmd
This looks fine, you can try to increase the "remoteauthtimeout" value and also check the output of debugs.
regards,
Sheikh
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.