Hello everyone,
The problem has been going on for months (or possibly years?) since i have been the Network Admin at my company.
The core of the problem is that some (not always the same) users are experiencing random wifi/lan disconnects and are forced to log in to the fortigate SSO screen multiple times a day.
I have been looking into the FSSO and Fortigate user/wifi logs to try and find the culprit, but i havent had any luck for months.
If anyone had a similair or same issue i would very much appreciate the help to solve this.
Best regards.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @nmarche1
Hello @AEK
It has basically been causing problems since before i came to work here (I started in 2022 october), but i think in the last year the problems have become less rare.
- We are using agent mode
- The disconnection time could be either a minute or it doesnt happen for days (For an example, i was on vacation recently and 2 weeks later when i came back i wasnt even asked to log in to the FSSO, it worked automatically)
- FortiOS 7.4.2
- I will have to check what the version is, but we recently updated to the newest one
- Not sure, will have to check with the Sys Admins
Also, as you are using agent mode, you can also check once the user is disconnected if it is still shown on FG user monitor as connected or not, and if it is still shown on the agent as connected or not.
This should tell us if the issue if from FG side or from agent side.
I will double check the polling/agent mode setting just to make sure, in the meanwhile i should mention that for some reason we have two external connectors for FSSO agents on our two DCs and not one with a primary and secondary IP address (as shown in attachments below), so maybe that is causing some problems?
If both are for the same domain I honestly don't know if this is a coherent config. Maybe some experienced user from the community can confirm this.
In my experience we always used one connector with 1 active agent and 1 backup agent.
Yes, this is indeed a problem if both the agents are monitoring the same domain. Every time the same user is discovered via different fabric connector, all existing IP sessions from the source IP address are cleared from Fortigate.
You should completely disable one of the fabric connectors. Then configure a secondary FSSO server under the remaining active fabric connector.
Keep in mind that the FSSO user groups in your firewall policies are linked to a particular FSSO fabric connector. You may need to completely reconfigure FSSO user groups in your firewall policies.
Here is a little older, but still valid KB with configuration example: https://community.fortinet.com/t5/FortiGate/Technical-Tip-FSSO-Collector-Agent-failover-configuratio...
There also seems to be almost 50 extra users on one of the collectors - please compare the settings on both FSSO collectors side-by-side and ensure they are identical.
If you require further assistance with FSSO debugging, I'd suggest opening a support ticket with TAC as the process usually requires going through hundreds of megabytes of debug logs with private data.
Thank you for all the answers, I will try and make the changes you suggested and get back when i test everything.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1703 | |
1092 | |
752 | |
446 | |
229 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.