FortiGate 80F and MFA Issues

seanmd · ‎01-04-2024

It's been nearly a year since I moved from Cisco to Fortinet and I have to say MFA is extremely buggy. Currently running v7.4.1 build2463. We are using LDAP to create our user accounts and then add the user into a local user group on the FortiGate, then finally enabling two-factor. We will run into issues where a user will be entering in the correct username, password, and MFA token but a (using FortiTokens) message like VPN server is unreachable is thrown on the client side. I've tried debugging with no luck and I've also had a few tickets opened with support and once again no resolution. Starting to think I should have never switched to Fortinet. The only fix we can come up with is to disable MFA and then reboot the device and then the user can finally connect but only using only password authentication. Has anyone else dealt with this issue and if so what was your fix? I can't be the only one with this problem. Thanks in advance!

Sean Donnelly

akumar02 · ‎01-04-2024

Hello Sean,

I am sorry to hear about your experience with MFA.
Did you try to increase the remoteauthtimeout on Fortigate?
# config system global
set remoteauthtimeout <1-300s>
end
The default timer is 5 seconds only and if you are using the Remote users to authenticate with Fortitoken, the athentication can timeout.
Kindly refer to this article for reference:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-and-two-factor-expiry-timers....

I would also recommend testing with your Fortigates Local Users as well.

Best Regards,
. . . . . . . . . . . . . . . . . . . . . . . .
Arun Kumar | TAC Engineer II
FORTINET TAC - America EAST
NSE Certified: FCA, FCF, FCP-NS, FCSS-NS
Office Hours: 9AM-6PM EST (Tue-Sat)
Contact: https://fortinet.com/support-and-training/support/contact.html
Community Forum: https://community.fortinet.com
# Is there anything Fortinet could have assisted with further, better, or differently?
# Simply request a Manager follow-up

seanmd · ‎01-04-2024

Thank you I believe I did this along with username sensitivity set to disable. I will check right now and report back.

Sean Donnelly

akumar02 · ‎01-04-2024

Thank you. Kindly keep us posted.

Best Regards,
. . . . . . . . . . . . . . . . . . . . . . . .
Arun Kumar | TAC Engineer II
FORTINET TAC - America EAST
NSE Certified: FCA, FCF, FCP-NS, FCSS-NS
Office Hours: 9AM-6PM EST (Tue-Sat)
Contact: https://fortinet.com/support-and-training/support/contact.html
Community Forum: https://community.fortinet.com
# Is there anything Fortinet could have assisted with further, better, or differently?
# Simply request a Manager follow-up

seanmd · ‎01-04-2024

I think this is good?

2024-01-04 11_28_54-FortiGate - RRK-Fortigate-2.png

Sean Donnelly

akumar02 · ‎01-04-2024

Yes, this looks good. now you can test it.
I wonder if you have Webmode in SSL VPN as well. Just in case this is something related to the FortiClient only. You can test your user in SSL VPN Web mode.
----

Arun

Best Regards,
. . . . . . . . . . . . . . . . . . . . . . . .
Arun Kumar | TAC Engineer II
FORTINET TAC - America EAST
NSE Certified: FCA, FCF, FCP-NS, FCSS-NS
Office Hours: 9AM-6PM EST (Tue-Sat)
Contact: https://fortinet.com/support-and-training/support/contact.html
Community Forum: https://community.fortinet.com
# Is there anything Fortinet could have assisted with further, better, or differently?
# Simply request a Manager follow-up

Sheikh · ‎01-04-2024

Hello @seanmd ,

The values looks fine. Please also check the latency between Fortigate and domain controllers; if they are on the same site then these values should be fine. Moreover, these debugs will help you see what is happening during authentication.

diagnose debug console timestamp enable

diagnose debug app fnbamdd -1

diagnose debug app sslvpn -1

diagnose debug enable

****reproduce the issue****

regards,

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**

seanmd · ‎01-04-2024

Thank you! I will reach out to the user who was having problems this morning and I will turn two-factor back on and test with him. The web mode SSLVPN is disabled per our cyber insurance.

Sean Donnelly

seanmd · ‎01-04-2024

No issues with latency to my DC's

PING 192.168.1.12 (192.168.1.12): 56 data bytes
64 bytes from 192.168.1.12: icmp_seq=0 ttl=128 time=0.3 ms
64 bytes from 192.168.1.12: icmp_seq=1 ttl=128 time=3.3 ms
64 bytes from 192.168.1.12: icmp_seq=2 ttl=128 time=0.3 ms
64 bytes from 192.168.1.12: icmp_seq=3 ttl=128 time=0.2 ms
^[[A64 bytes from 192.168.1.12: icmp_seq=4 ttl=128 time=0.2 ms

--- 192.168.1.12 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.8/3.3 ms

RRK-Fortigate-2 # execute ping 192.168.1.99
PING 192.168.1.99 (192.168.1.99): 56 data bytes
64 bytes from 192.168.1.99: icmp_seq=0 ttl=128 time=0.2 ms
64 bytes from 192.168.1.99: icmp_seq=1 ttl=128 time=0.3 ms
64 bytes from 192.168.1.99: icmp_seq=2 ttl=128 time=0.2 ms
64 bytes from 192.168.1.99: icmp_seq=3 ttl=128 time=0.3 ms
64 bytes from 192.168.1.99: icmp_seq=4 ttl=128 time=0.2 ms

Sean Donnelly

Sheikh · ‎01-05-2024

Hello @seanmd

This looks fine, you can try to increase the "remoteauthtimeout" value and also check the output of debugs.

regards,

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**

FortiGate 80F and MFA Issues

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website