- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: SSO users have to log off and log on every 5 ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSO users have to log off and log on every 5 to 10 minutes
Hello,
I' m currently testing single sign on using two collector agents in polling mode monitoring my two domain controllers (the domain controllers don' t have a DC agent installed). All the work is in a test network, so the production environment is not affected, eventually I will need to replace my current firewall and SSO solution with Fortigate.
Everything works as expected, except that every 5 to 10 minutes I loose all connectivity through the fortigate cluster to all networks and services and I have to log off and log in in order to have access again.
I have set the values of Workstation verify interval and Dead entry timeout, on both collector agents, to 0 (zero), still the problem remains.
Has anyone experience a similar issue, where can I look in order to find out what is going on and eventually fix it?
Thanks in advance.
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
" I have set the values of Workstation verify interval and Dead entry timeout, on both collector agents, to 0 (zero), still the problem remains. "
This would mean that Not Verified status is not the culprit here.
Issue can be also caused by logon override by ie. service account such as sophos updater, antivirus, access to shared folder on AD server or any other service account. This can trigger logon event on AD and overwrite original logon of a user. When this happens, original user might lose internet access since the service account will not be in any monitored group. Try to identify such accounts and put them on ignore list on Collector Agent . Logons can be seen in Windows security eventlogs, Collector Agent log in debug.
livo
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Could you elaborate a little on your configuration ?
I may not have the answers you need, but it might encourage others to have a closer look.
Do both Collector agents monitor both DCs ?
Are both collector agents part of the same Single Sign-on entry on the Fortigate ?
You mention " through the Fortigate cluster" , so you probably have 2 firewalls setup in a HA configuration, Active-Active, or other ?
Do you use them as Internet proxy also (just curious)?
Anything in the Collector agents logs ?
I would say start with that and we' ll see. hoping it helps a little.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello TechnoR05
You are right, perhaps I did not provide enough details, I' ll give more information, I hope it helps
Both collector agents (CAs) are monitoring both DC
Both CAs are part of the same SSO entry in FG, I created a entry called TEST_SSO_AD, and included both collector agents IPs there.
Yes, I have two fg units 240D, they are in A-P cluster, ports 39 and 40 are configured as aggregate LACP to work as a trunk for all the vlans, and are connected to a stack of two switches on two different port-channels 10 and 11 with hashing mode 4 on the fg unit and 6 on the switches.
I don' t have an internet proxy, I plan to use the FG cluster as a proxy, but I will not configure it until I make sure the SSO and the rule policies work flawlessly.
I' m quite sure the A-P cluster with link aggregate is working as I follow this procedure in order to test the units.
1.- Configure A-P cluster and make sure it works
2.- Configured link aggregation on the FG cluster, configured port-channel on the stack of switches, port 39 and 40 of fg1 is connected using port-channel 10, and port 39 and 40 of fg2 connected using port-channel 11, I have made some connectivity test, simulating loss of service by shutting down one fg unit at a time or one switch of the stack at a time, and the connection from workstation to servers or to the fg units through browser stays alive.
3.- Install the collector agent on the server fca1 (Fortinet Collector Agent) and fca2 (both windows 2012), monitor both DCs and able to configure the group filter, in the group filter I add each FG serial number and the groups I want to monitor in both entries (one entry with fg1 serial number, another with fg2 serial number), sync between both Collector Agents and open the ports TCP 8000 and UDP 8002 in the CAs and DCs
4.- Connect the FG cluster to the collector agent, in SSO I created and entry called Test_SSO_AD and added both collector agent server IPS address and password and the FG connects, when I refresh the SSO page it shows the groups I previously configured in the collector agents.
5. Created rules based on SSO and try to access the servers from the test workstation and can access according to the rule I setup in the policy page.
After step 5, every five to ten minutes I loose access, it is like the fg looses connection with the CAs or the CAs looses connection with the DCs, when I log off and log in again the access is there and I can resume my testings for another 5 to 10 minutes
I checked the logs in one of the CA and no entry, although I did noticed in older entries connection failure with DCs.
If you need anything else that you think might be helpful to track down the issue, please let me know.
Thanks and I appreciate you time in reading and answering me.
Have a good day.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Didier,
Like you say, everything works well for 5-10 minutes, so the basic setup itself must be ok, vlans, trunks, switches, A-P etc.
We only use it as a proxy so functionnalities are not the same, but you lose nothing in checking the following, all on the Fortigates ;
Under User & Device > Authentication > Settings, change the default value from 10 minutes to something like 60 for example, and retest
Under Log & Report > Event log > User : do you have " User timed-out" (Bad), and/or " FSSO-logon event from Test_SSO_AD: user xxx logged on..." (Good)
Maybe check also Log & Report >Trafic Log, both local and forward, and maybe also under User & Device > Monitor > Firewall, that the test user (you) is still there after disconnection, the Auth method.
These are just places to look, again hoping it helps a little :)
Richard
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your idea, unfortunately I the problem persist, and the logs didn' t give any relevan tinformation, the weird thing is that when I first try to ping one server in a different network its respond twice and then stop responding. I remove the SSO rule and created firewall rule and the same behaviour, so I' m going back to the basics, 1 fortigate, one switch, no LACP and one collector agent and will take it from there.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Please ensure " DNS Client" service is running on your workstations.
Are your workstations in DHCP mode ? Whats the lease period ?
Thanks & Regards
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Dipen,
Unfortunately I haven' t have much time to troubleshoot this issue, been busy with ther things.
The workstations get the IP from DHCP and the IP lease time is 8 hours
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
" I have set the values of Workstation verify interval and Dead entry timeout, on both collector agents, to 0 (zero), still the problem remains. "
This would mean that Not Verified status is not the culprit here.
Issue can be also caused by logon override by ie. service account such as sophos updater, antivirus, access to shared folder on AD server or any other service account. This can trigger logon event on AD and overwrite original logon of a user. When this happens, original user might lose internet access since the service account will not be in any monitored group. Try to identify such accounts and put them on ignore list on Collector Agent . Logons can be seen in Windows security eventlogs, Collector Agent log in debug.
livo
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
same problems as yours. upgrade and use fsso ver 5.2.x
Fortigate Newbie
Fortigate Newbie
Related Posts
- Windows IKEv2 native VPN with user... 47 Views
- Is there a way to exempt... 59 Views
- FortiClient - Change Log Level Access 48 Views
- Quarantine Hosts that don't have forticlient... 65 Views
- CPPM integration for user-based rules 30 Views
Labels
-
FortiGate
6,750 -
FortiClient
1,342 -
5.2
801 -
5.4
639 -
FortiManager
580 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
345 -
FortiAP
344 -
FortiClient EMS
274 -
FortiMail
262 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
160 -
6.4
128 -
FortiNAC
110 -
FortiGuard
108 -
FortiSIEM
92 -
FortiGateCloud
88 -
IPsec
85 -
FortiCloud Products
85 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
69 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
33 -
SD-WAN
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiAuthenticator
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
FortiMonitor
14 -
SAML
14 -
BGP
14 -
Interface
14 -
Logging
14 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.