Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
xinger
New Contributor III

Losing FSSO association in traffic filtering

Using FortiGate 60D on 5.0.9.  FSSO collector agent has been and is working pretty much as expected.  E.g., I can see FSSO login events associating users to their IPs. 

 

But some IP's are losing their userID associations in the traffic logs including web filtering logs.  It is not a timeout issue because the user I'm investigating shutdowns every night and logs in every morning.  It has been this way for over a month now:  no userID is associated with the user's IP for the past month.  Some other users on this firewall are okay, that is, their userIDs are associated with the IP they are working from.

 

We've tried the following to fix the userID/IP that is not working:

[ul]
  • Restarted the Fortigate because I thought that perhaps an internal table was getting messed up, but the situation remained the same. 
  • Tried a Deauthorize option.  Couldn't find any documentation for it, but if you bring up the Device manager in FortiManager and then Query then User in the menu, you see a list of users and their user groups.  I saw my user and her groups in there.  You get an option to Deauthorize if you right click.  That seems to clear out the list including my user's.  But it didn't make any difference.  Her userID and groups reappeared in the list, but her userID is still not appearing in the traffic logs.
  • Restarted the Single Sign On Agent Service on the domain controller.
  • It is a laptop, but we confirmed that the wifi is not being used.  We thought maybe there was some IP confusion.
  • We had the user log into a terminal server where the SSO agent is running.  The user did get the correct results there.
  • Next we're going to force the laptop to a new IP.  I don't have the results yet.[/ul]

    Anyone have a fix or other ideas?

     

    Thanks!

  • 1 REPLY 1
    xinger
    New Contributor III

    Peifer wrote:

    Next we're going to force the laptop to a new IP.  I don't have the results yet.

    We forced a new IP address for the laptop and the issue is now resolved for the user.   

     

    Now my questions are (1) why there was a problem? and (2) whether there is some way to handle this on the FortiGate?  I don't want to be forcing systems to new IP addresses each time this problem comes up (and I indeed see that I have other IP addresses with this problem).  If I have see the problem with 192.168.1.55, I'd be happy with a FortiGate CLI command such as "fsso recollect 192.168.1.55" or "fsso remove 192.1268.1.55" and let it refresh itself.

    Labels
    Top Kudoed Authors