Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiGator
New Contributor II

Created on ‎03-01-2024 09:19 AM

FortiManager keeps removing source-ip for Radius server

I have a strange issue with FortiManager, I have two sites that have radius configured for VPN authentication. Each site has a local server and a remote server as a backup that connects over IPSEC. I set a source IP in FortiManager and push the system config. Both sites then can contact the servers using the test connectivity, but as soon as the system config is pushed, the policy package goes out of sync. When I go to push the policy package, it unsets the source-ip and the test connectivty fails. I have tried it directly on the firewall and retrieve the config, but ultimately get the same issue where FortiManager wants to unset the source-ip. Anybody ever run into this or have any suggestions?

Labels:
1156
0 Kudos
1 Solution
smkml
Staff
Staff

Created on ‎03-01-2024 09:32 AM

Hi @FortiGator ,

 

Since you have two sites, is it possible to check on Policy & Objects > User & Authentication > RADIUS Server > (server name) > Per-Device mapping > Advanced Options > source ip is set to  each devices.

per-device mapping.png

View solution in original post

1148
0 Kudos
4 REPLIES 4
smkml
Staff
Staff

Created on ‎03-01-2024 09:32 AM

Hi @FortiGator ,

 

Since you have two sites, is it possible to check on Policy & Objects > User & Authentication > RADIUS Server > (server name) > Per-Device mapping > Advanced Options > source ip is set to  each devices.

per-device mapping.png

1149
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎03-01-2024 09:47 AM

@smkmlis assuming you have RADIUS server object is configured there. But my assumption is you don't have anything configured in the Policy&objects, which shouldn't override the device config. Isn't it the case?

Toshi

1144
0 Kudos
FortiGator
New Contributor II

Created on ‎03-01-2024 10:14 AM

@smkml @Toshi_Esumi Thank you both for your replies. In this instance, smkml was spot on. It never dawned on me that the issue would be a device mapping that was overriding the config. I did not manually create the mapping but it was obviously created when the firewall was originally added to FortiManager years ago. I just never realized they could not connect to the remote server (secondary) because we never had an issue with the primary until now. I appreciate the help! 

1134
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to FortiGator

Created on ‎03-01-2024 01:53 PM Edited on ‎03-01-2024 01:54 PM

Probably that was created when you imported it into a policy package first time. I'm not sure the device mapping was generated for the first one but might be created when you imported the second one since one ADOM can have one object if the name is the same, while you have have muitiple sets of policies for two or more FGTs.

 

Toshi

1106
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.