Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiGator
New Contributor II

FortiManager keeps removing source-ip for Radius server

I have a strange issue with FortiManager, I have two sites that have radius configured for VPN authentication. Each site has a local server and a remote server as a backup that connects over IPSEC. I set a source IP in FortiManager and push the system config. Both sites then can contact the servers using the test connectivity, but as soon as the system config is pushed, the policy package goes out of sync. When I go to push the policy package, it unsets the source-ip and the test connectivty fails. I have tried it directly on the firewall and retrieve the config, but ultimately get the same issue where FortiManager wants to unset the source-ip. Anybody ever run into this or have any suggestions?

1 Solution
smkml
Staff
Staff

Hi @FortiGator ,

 

Since you have two sites, is it possible to check on Policy & Objects > User & Authentication > RADIUS Server > (server name) > Per-Device mapping > Advanced Options > source ip is set to  each devices.

per-device mapping.png

View solution in original post

4 REPLIES 4
smkml
Staff
Staff

Hi @FortiGator ,

 

Since you have two sites, is it possible to check on Policy & Objects > User & Authentication > RADIUS Server > (server name) > Per-Device mapping > Advanced Options > source ip is set to  each devices.

per-device mapping.png

Toshi_Esumi
SuperUser
SuperUser

@smkmlis assuming you have RADIUS server object is configured there. But my assumption is you don't have anything configured in the Policy&objects, which shouldn't override the device config. Isn't it the case?

Toshi

FortiGator
New Contributor II

@smkml @Toshi_Esumi Thank you both for your replies. In this instance, smkml was spot on. It never dawned on me that the issue would be a device mapping that was overriding the config. I did not manually create the mapping but it was obviously created when the firewall was originally added to FortiManager years ago. I just never realized they could not connect to the remote server (secondary) because we never had an issue with the primary until now. I appreciate the help! 

Toshi_Esumi

Probably that was created when you imported it into a policy package first time. I'm not sure the device mapping was generated for the first one but might be created when you imported the second one since one ADOM can have one object if the name is the same, while you have have muitiple sets of policies for two or more FGTs.

 

Toshi

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors