Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nmarche1
New Contributor II

Problem with FSSO removing users from auth

Hello everyone,

The problem has been going on for months (or possibly years?) since i have been the Network Admin at my company.

The core of the problem is that some (not always the same) users are experiencing random wifi/lan disconnects and are forced to log in to the fortigate SSO screen multiple times a day.

I have been looking into the FSSO and Fortigate user/wifi logs to try and find the culprit, but i havent had any luck for months. 

If anyone had a similair or same issue i would very much appreciate the help to solve this.

Best regards.

Nikola Marceta
Nikola Marceta
7 REPLIES 7
AEK
SuperUser
SuperUser

Hi @nmarche1 

  • Did it work fine before? If so, what was the last changes before the issue started?
  • Are you using polling mode or agent mode?
  • Did you notice that the disconnection time is regular? for example like 6h after connection
  • Which FOS version?
  • If agent mode, which agent version?
  • Which Windows DC version?
AEK
AEK
nmarche1
New Contributor II

Hello @AEK 

It has basically been causing problems since before i came to work here (I started in 2022 october), but i think in the last year the problems have become less rare.
- We are using agent mode

- The disconnection time could be either a minute or it doesnt happen for days (For an example, i was on vacation recently and 2 weeks later when i came back i wasnt even asked to log in to the FSSO, it worked automatically)
- FortiOS 7.4.2
- I will have to check what the version is, but we recently updated to the newest one

- Not sure, will have to check with the Sys Admins

Nikola Marceta
Nikola Marceta
AEK

Also, as you are using agent mode, you can also check once the user is disconnected if it is still shown on FG user monitor as connected or not, and if it is still shown on the agent as connected or not.

This should tell us if the issue if from FG side or from agent side.

AEK
AEK
nmarche1
New Contributor II

I will double check the polling/agent mode setting just to make sure, in the meanwhile i should mention that for some reason we have two external connectors for FSSO agents on our two DCs and not one with a primary and secondary IP address (as shown in attachments below), so maybe that is causing some problems?image.pngimage.pngimage.png

Nikola Marceta
Nikola Marceta
AEK

If both are for the same domain I honestly don't know if this is a coherent config. Maybe some experienced user from the community can confirm this.

In my experience we always used one connector with 1 active agent and 1 backup agent.

AEK
AEK
bpozdena_FTNT

Yes, this is indeed a problem if both the agents are monitoring the same domain. Every time the same user is discovered via different fabric connector, all existing IP sessions from the source IP address are cleared from Fortigate.

 

You should completely disable one of the fabric connectors. Then configure a secondary FSSO server under the remaining active fabric connector.

 

Keep in mind that the FSSO user groups in your firewall policies are linked to a particular FSSO fabric connector. You may need to completely reconfigure FSSO user groups in your firewall policies.

 

Here is a little older, but still valid KB with configuration example: https://community.fortinet.com/t5/FortiGate/Technical-Tip-FSSO-Collector-Agent-failover-configuratio...

 

There also seems to be almost 50 extra users on one of the collectors - please compare the settings on both FSSO collectors side-by-side and ensure they are identical.

 

If you require further assistance with FSSO debugging, I'd suggest opening a support ticket with TAC as the process usually requires going through hundreds of megabytes of debug logs with private data.

HTH,
Boris
nmarche1

Thank you for all the answers, I will try and make the changes you suggested and get back when i test everything.

Nikola Marceta
Nikola Marceta
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors