Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDLP
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGuard
- FortiGate Cloud
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: SSO users have to log off and log on every 5 ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSO users have to log off and log on every 5 to 10 minutes
Hello,
I' m currently testing single sign on using two collector agents in polling mode monitoring my two domain controllers (the domain controllers don' t have a DC agent installed). All the work is in a test network, so the production environment is not affected, eventually I will need to replace my current firewall and SSO solution with Fortigate.
Everything works as expected, except that every 5 to 10 minutes I loose all connectivity through the fortigate cluster to all networks and services and I have to log off and log in in order to have access again.
I have set the values of Workstation verify interval and Dead entry timeout, on both collector agents, to 0 (zero), still the problem remains.
Has anyone experience a similar issue, where can I look in order to find out what is going on and eventually fix it?
Thanks in advance.
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
" I have set the values of Workstation verify interval and Dead entry timeout, on both collector agents, to 0 (zero), still the problem remains. "
This would mean that Not Verified status is not the culprit here.
Issue can be also caused by logon override by ie. service account such as sophos updater, antivirus, access to shared folder on AD server or any other service account. This can trigger logon event on AD and overwrite original logon of a user. When this happens, original user might lose internet access since the service account will not be in any monitored group. Try to identify such accounts and put them on ignore list on Collector Agent . Logons can be seen in Windows security eventlogs, Collector Agent log in debug.
livo
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Could you elaborate a little on your configuration ?
I may not have the answers you need, but it might encourage others to have a closer look.
Do both Collector agents monitor both DCs ?
Are both collector agents part of the same Single Sign-on entry on the Fortigate ?
You mention " through the Fortigate cluster" , so you probably have 2 firewalls setup in a HA configuration, Active-Active, or other ?
Do you use them as Internet proxy also (just curious)?
Anything in the Collector agents logs ?
I would say start with that and we' ll see. hoping it helps a little.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello TechnoR05
You are right, perhaps I did not provide enough details, I' ll give more information, I hope it helps
Both collector agents (CAs) are monitoring both DC
Both CAs are part of the same SSO entry in FG, I created a entry called TEST_SSO_AD, and included both collector agents IPs there.
Yes, I have two fg units 240D, they are in A-P cluster, ports 39 and 40 are configured as aggregate LACP to work as a trunk for all the vlans, and are connected to a stack of two switches on two different port-channels 10 and 11 with hashing mode 4 on the fg unit and 6 on the switches.
I don' t have an internet proxy, I plan to use the FG cluster as a proxy, but I will not configure it until I make sure the SSO and the rule policies work flawlessly.
I' m quite sure the A-P cluster with link aggregate is working as I follow this procedure in order to test the units.
1.- Configure A-P cluster and make sure it works
2.- Configured link aggregation on the FG cluster, configured port-channel on the stack of switches, port 39 and 40 of fg1 is connected using port-channel 10, and port 39 and 40 of fg2 connected using port-channel 11, I have made some connectivity test, simulating loss of service by shutting down one fg unit at a time or one switch of the stack at a time, and the connection from workstation to servers or to the fg units through browser stays alive.
3.- Install the collector agent on the server fca1 (Fortinet Collector Agent) and fca2 (both windows 2012), monitor both DCs and able to configure the group filter, in the group filter I add each FG serial number and the groups I want to monitor in both entries (one entry with fg1 serial number, another with fg2 serial number), sync between both Collector Agents and open the ports TCP 8000 and UDP 8002 in the CAs and DCs
4.- Connect the FG cluster to the collector agent, in SSO I created and entry called Test_SSO_AD and added both collector agent server IPS address and password and the FG connects, when I refresh the SSO page it shows the groups I previously configured in the collector agents.
5. Created rules based on SSO and try to access the servers from the test workstation and can access according to the rule I setup in the policy page.
After step 5, every five to ten minutes I loose access, it is like the fg looses connection with the CAs or the CAs looses connection with the DCs, when I log off and log in again the access is there and I can resume my testings for another 5 to 10 minutes
I checked the logs in one of the CA and no entry, although I did noticed in older entries connection failure with DCs.
If you need anything else that you think might be helpful to track down the issue, please let me know.
Thanks and I appreciate you time in reading and answering me.
Have a good day.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Didier,
Like you say, everything works well for 5-10 minutes, so the basic setup itself must be ok, vlans, trunks, switches, A-P etc.
We only use it as a proxy so functionnalities are not the same, but you lose nothing in checking the following, all on the Fortigates ;
Under User & Device > Authentication > Settings, change the default value from 10 minutes to something like 60 for example, and retest
Under Log & Report > Event log > User : do you have " User timed-out" (Bad), and/or " FSSO-logon event from Test_SSO_AD: user xxx logged on..." (Good)
Maybe check also Log & Report >Trafic Log, both local and forward, and maybe also under User & Device > Monitor > Firewall, that the test user (you) is still there after disconnection, the Auth method.
These are just places to look, again hoping it helps a little :)
Richard
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your idea, unfortunately I the problem persist, and the logs didn' t give any relevan tinformation, the weird thing is that when I first try to ping one server in a different network its respond twice and then stop responding. I remove the SSO rule and created firewall rule and the same behaviour, so I' m going back to the basics, 1 fortigate, one switch, no LACP and one collector agent and will take it from there.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Please ensure " DNS Client" service is running on your workstations.
Are your workstations in DHCP mode ? Whats the lease period ?
Thanks & Regards
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Dipen,
Unfortunately I haven' t have much time to troubleshoot this issue, been busy with ther things.
The workstations get the IP from DHCP and the IP lease time is 8 hours
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
" I have set the values of Workstation verify interval and Dead entry timeout, on both collector agents, to 0 (zero), still the problem remains. "
This would mean that Not Verified status is not the culprit here.
Issue can be also caused by logon override by ie. service account such as sophos updater, antivirus, access to shared folder on AD server or any other service account. This can trigger logon event on AD and overwrite original logon of a user. When this happens, original user might lose internet access since the service account will not be in any monitored group. Try to identify such accounts and put them on ignore list on Collector Agent . Logons can be seen in Windows security eventlogs, Collector Agent log in debug.
livo
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
same problems as yours. upgrade and use fsso ver 5.2.x
Fortigate Newbie
Fortigate Newbie
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Issues with FortiClient EMS on macOS 18 Views
- duplicate license fortianalyzer 59 Views
- Active Directory users on IPsec VPNs... 154 Views
- memory conserve threshold values are hardcoded... 111 Views
- Issues with IPsec VPN and RTSP... 81 Views
Labels
-
FortiGate
8,340 -
FortiClient
1,686 -
5.2
801 -
FortiManager
703 -
5.4
639 -
FortiAnalyzer
532 -
FortiSwitch
452 -
FortiAP
446 -
6.0
416 -
FortiClient EMS
392 -
5.6
362 -
FortiMail
307 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
205 -
5.0
196 -
FortiWeb
194 -
IPsec
174 -
FortiNAC
171 -
FortiGuard
132 -
6.4
128 -
SD-WAN
102 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
80 -
Customer Service
76 -
Wireless Controller
76 -
Firewall policy
67 -
4.0MR3
64 -
FortiProxy
56 -
FortiADC
51 -
Fortivoice
50 -
FortiEDR
50 -
High Availability
48 -
vlan
47 -
ZTNA
45 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
BGP
37 -
LDAP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Interface
31 -
NAT
30 -
Authentication
29 -
SSO
29 -
FortiConnect
28 -
RADIUS
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Web profile
23 -
Application control
22 -
Virtual IP
22 -
Logging
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
FortiPAM
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
FortiGate v5.0
14 -
OSPF
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
WAN optimization
13 -
FortiCASB
12 -
SNMP
12 -
Automation
12 -
Admin
12 -
System settings
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiSOAR
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
Proxy policy
9 -
FortiBridge
8 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
Explicit proxy
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1632 | |
| 1063 | |
| 749 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.