We upgraded our main firewall cluster of 620b' s from 4.2.12 to 4.3.10 yesterday. The only thing that is giving us issues is one of our user authentication processes isn' t working. We' ve got 3 of them and the other 2 work just fine.
All 3 of them are using LDAP. 2 are using secure connections to AD to look and the 3rd is not secure. All 3 are different AD domains.
Domain1: working. unsecure.
Domain2: working. Secure. Cert from CA imported and everything is working normally like it was in 4.2.12
Domain3: not working. Secure. Cert from CA imported. This LDAP query worked when the firewall was at 4.2.12
After doing a debug fnbamd -1 I get these:
Domain1 (working unsecure)
------------------------------------
2012-09-20 10:38:13 fnbamd_fsm.c[1274] handle_req-Rcvd auth req 6619271 for UserX in Group1-AD opt=256 prot=9
2012-09-20 10:38:13 fnbamd_auth.c[228] radius_start-Didn' t find radius servers (0)
2012-09-20 10:38:13 fnbamd_auth.c[582] auth_tac_plus_start-Didn' t find tac_plus servers (0)
2012-09-20 10:38:13 fnbamd_ldap.c[637] resolve_ldap_FQDN-Resolved address host1.domain.com, result xxx.xxx.xxx.xxx
2012-09-20 10:38:13 fnbamd_ldap.c[232] start_search_dn-base:' DC=domain1,DC=name' filter:sAMAccountName=UserX
------------------------------------
Domain2 (working, secure)
------------------------------------
2012-09-20 10:42:00 fnbamd_fsm.c[1274] handle_req-Rcvd auth req 6619272 for UserY in Group2-AD opt=256 prot=9
2012-09-20 10:42:00 fnbamd_auth.c[228] radius_start-Didn' t find radius servers (0)
2012-09-20 10:42:00 fnbamd_auth.c[582] auth_tac_plus_start-Didn' t find tac_plus servers (0)
2012-09-20 10:42:00 fnbamd_ldap.c[637] resolve_ldap_FQDN-Resolved address host2.domain.com, result xxx.xxx.xxx.xxx
2012-09-20 10:42:00 fnbamd_ldap.c[218] set_cacert_file-CA file: ' /etc/cert/ca/CA_Cert_4.cer'
2012-09-20 10:42:00 fnbamd_ldap.c[232] start_search_dn-base:' DC=domain2,DC=name' filter:sAMAccountName=UserY
------------------------------------
Domain 3 (not working, secure)
------------------------------------
2012-09-20 10:36:59 fnbamd_fsm.c[1274] handle_req-Rcvd auth req 6619270 for UserZ in Group3-AD opt=256 prot=9
2012-09-20 10:36:59 fnbamd_auth.c[228] radius_start-Didn' t find radius servers (0)
2012-09-20 10:36:59 fnbamd_auth.c[582] auth_tac_plus_start-Didn' t find tac_plus servers (0)
2012-09-20 10:36:59 fnbamd_ldap.c[637] resolve_ldap_FQDN-Resolved address host3.domain.com, result xxx.xxx.xxx.xxx
2012-09-20 10:36:59 fnbamd_ldap.c[218] set_cacert_file-CA file: ' /etc/cert/ca/CA_Cert_5.cer'
2012-09-20 10:36:59 fnbamd_ldap.c[1117] fnbamd_ldap_start-Error in ldap_sasl_bind
2012-09-20 10:36:59 fnbamd_auth.c[356] ldap_start-Failed to start ldap request for host3.domain.com
2012-09-20 10:36:59 fnbamd_fsm.c[176] create_auth_session-Error starting authentication
2012-09-20 10:36:59 fnbamd_fsm.c[1287] handle_req-Error creating session
2012-09-20 10:36:59 fnbamd_comm.c[116] fnbamd_comm_send_result-Sending result 3 for req 6619270
------------------------------------
Domain2 had it' s CA export a cert which was imported into the firewall and associated with LDAP server (/etc/cert/ca/CA_Cert_4.cer).
Domain3 doesn' t have a CA (Windows Admins won' t tell me why so I have no idea) so the linux admin issued a cert on behalf of Domain3. This is where I think the process is broken at although I' m stumped as to why it' s not working now but had been working through all 12 versions of FortiOS in the 4.2 family.
I opened a ticket with Fortinet but I thought I' d post this here to see if anybody else had an issue like this when they upgraded from 4.2 to 4.3. I' ll probably get a faster response here than with Support.
-TJ