Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mrmIT
New Contributor II

Created on ‎12-11-2024 04:40 AM

Issue with FSSO Agent Communication on secondary DC

Hello All,


I have Fortinet Single Sign-On (FSSO) Agent installed in DC Agent mode on both of my domain controllers (DC01 and DC02).

Observations:

  1. When a user logs into the network with DC01 as their logon server:
    • The user appears in the Show Logon Users list on the FSSO agent.
    • The collector forwards this information to FortiGate, and the user is also visible in the FSSO user list on FortiGate.
  2. When a user logs in with DC02 as their logon server:
    • The user appears in the Show Logon Users list on the FSSO agent on DC02.
    • However, this information is not forwarded to FortiGate.

Troubleshooting Steps Taken:

  • Verified that FortiGate can connect to both domain controllers on TCP/8000 without any issues.
  • Confirmed that the registry path Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\DCAgent\CA contains the IP addresses of both DC01 and DC02 on both servers.
  • Confirmed the IP address of DC02 as a secondary-server in the FortiGate configuration.
  • Restarted FSSO services on both DC01 and DC02.
  • De-authenticated the user list on FortiGate.

Current Setup:

  • FSSO Agent version: 5.0.0.318 (installed on both servers).
  • FortiOS version: 7.2.10.

Questions:

Is there anything else I can check to resolve this issue? I have not yet reinstalled the FSSO agent on DC02.
Any guidance would be greatly appreciated.

Labels:
513
0 Kudos
1 Solution
pminarik
Staff
Staff
In response to mrmIT

Created on ‎12-12-2024 04:02 AM

The most typical cause is Windows Firewall blocking it.

Make sure you allow the traffic on the Collector's side. In this case it will be incoming UDP/8002.

[ corrections always welcome ]

View solution in original post

343
12 REPLIES 12
jhussain_FTNT
Staff
Staff

Created on ‎12-11-2024 05:10 AM

Hi,

 

Please let us know if the collector agent is configured in active or passive mode. Normally, the Fortigate connects to the primary FSSO agent (DC agent 01) and retrieves the users showed in the logon user list. If a user A appears in the user logon list of the DC02 agent but does not appear in the DC01 agent, the Fortigate will not collect the user A from the DC02.

 

ALso you can refer the below document for multiple FSSO agent connect to Mutiple FSSO CA server.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Multiple-FSSO-Agent-to-Connect...

 

Regards

Jamal Hussain

 

391
mrmIT
New Contributor II
In response to jhussain_FTNT

Created on ‎12-11-2024 05:54 AM

Thank you, Jamal.

 

It seems that I have configured something incorrectly. Allow me to provide more information:

On the FortiGate firewall, I have configured only one the FSSO Agent External Connector.

My DC01 has the IP address 172.16.65.2 and DC02 has 10.1.0.9.

Screenshot 2024-12-11 134421.png

Screenshot 2024-12-11 135254.png

 

As you can see above, DC01 is currently active. When I restart DC01, the DC02 automatically becomes active.

I can confirm that user A appears in the user logon list of the DC02 agent but does not appear in the DC01 agent, meaning that the user log event is not present on both Collection Agents.

 

I believe I previously had two External Connectors configured, one for DC01 and another for DC02. For some reason, I decided that the best practice is to have only one External Connector, and I only added the IP address of the secondary FSSO.

Would the best practice be to create a second External Connector as described in the technical tip "Technical Tip: Configuring Multiple FSSO Agents to Connect to Multiple FSSO CA Servers Monitoring the Same Domain/Groups"?

371
0 Kudos
rbraha
Staff
Staff

Created on ‎12-11-2024 05:13 AM

Hi @mrmIT 

 

You should check to which CA is FGT connected at that time, FGT can only communicate with one CA at one time only. If this info is collected from DC Agent and this info it transferred to both CA ,FGT can poll this info from CA to which is connected. So you have to make sure that this user log event is present on both CA.

389
jhussain_FTNT
Staff
Staff
In response to rbraha

Created on ‎12-11-2024 09:27 PM

Hi @mrmIT 

 

You must ensure that log events have been received by both domain controllers Also verify you are monitoring both Domain controller  in the collector agent settings in DC01 /DC02.

jhussain_FTNT_0-1733981195709.png

 

Regards

Jamal Hussain

312
pminarik
Staff
Staff

Created on ‎12-12-2024 01:19 AM

Assuming both DCs server the same domain, the expected configuration and behaviour is as follows:

 

FortiGate has one FSSO object, with both Collectors' addresses.

The CLI interpretation could look like this:

config user fsso

    edit <some name>

        set server <DC1 address>

        set server2 <DC2 address>

        [...]

    end


Behaviour: FortiGate rotates through the list of Collectors on a failover basis, always keeping a connection with only one Collector.

 

As a consequence, all Collector Agents are expected to posses the same information, for the entirety of the domain. In other words, all Collectors must poll login information from all relevant Domain Controllers (or other sources). Collector1 needs to talk to DC1 and DC2, Collector2 needs to talk to DC1 and DC2.

[ corrections always welcome ]
286
mrmIT
New Contributor II

Created on ‎12-12-2024 02:18 AM

@jhussain_FTNT @pminarik @rbraha 

 

Thank you everyone. The situation is as follows: DC01 - 172.16.65.2 is the main collector for most of the time. In the Show Monitored DCs option, DC02 - 10.1.0.9 is not visible. When I go into Select DC to monitor, I see both DC01 and DC02 selected. I click OK, and a "please wait" window appears, but DC02 does not show up in the list of active DC agents. When I checked DC02, everything looks fine there, and it is monitoring both DCs.


So, the collector on DC01 monitors only DC01, while the collector on DC02 monitors both DC02 and DC01. What could be the reason that DC02 is not being added to the list?

275
0 Kudos
jhussain_FTNT
Staff
Staff
In response to mrmIT

Created on ‎12-12-2024 02:37 AM

 
 

Kindly verify both the collector agent IP address is added in DC02 as shown in the below image.

jhussain_FTNT_2-1733999739080.jpeg

 

Regards

Jamal Hussain

 

267
0 Kudos
mrmIT
New Contributor II
In response to jhussain_FTNT

Created on ‎12-12-2024 03:20 AM

I do not have a graphical interface. I can install it after hours because it seems that I will need to restart DC02. However, here is a screenshot from the system registry on DC01.

Capture.PNG

 

and DC02

dc02.PNG

257
0 Kudos
pminarik
Staff
Staff
In response to mrmIT

Created on ‎12-12-2024 04:02 AM

The most typical cause is Windows Firewall blocking it.

Make sure you allow the traffic on the Collector's side. In this case it will be incoming UDP/8002.

[ corrections always welcome ]
344
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.