Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
didier_caamano
New Contributor

SSO users have to log off and log on every 5 to 10 minutes

Hello, I' m currently testing single sign on using two collector agents in polling mode monitoring my two domain controllers (the domain controllers don' t have a DC agent installed). All the work is in a test network, so the production environment is not affected, eventually I will need to replace my current firewall and SSO solution with Fortigate. Everything works as expected, except that every 5 to 10 minutes I loose all connectivity through the fortigate cluster to all networks and services and I have to log off and log in in order to have access again. I have set the values of Workstation verify interval and Dead entry timeout, on both collector agents, to 0 (zero), still the problem remains. Has anyone experience a similar issue, where can I look in order to find out what is going on and eventually fix it? Thanks in advance.
1 Solution
Alivo__FTNT
Staff
Staff

Hi, " I have set the values of Workstation verify interval and Dead entry timeout, on both collector agents, to 0 (zero), still the problem remains. " This would mean that Not Verified status is not the culprit here. Issue can be also caused by logon override by ie. service account such as sophos updater, antivirus, access to shared folder on AD server or any other service account. This can trigger logon event on AD and overwrite original logon of a user. When this happens, original user might lose internet access since the service account will not be in any monitored group. Try to identify such accounts and put them on ignore list on Collector Agent . Logons can be seen in Windows security eventlogs, Collector Agent log in debug.

livo

View solution in original post

8 REPLIES 8
TechnoR05
New Contributor III

Hi, Could you elaborate a little on your configuration ? I may not have the answers you need, but it might encourage others to have a closer look. Do both Collector agents monitor both DCs ? Are both collector agents part of the same Single Sign-on entry on the Fortigate ? You mention " through the Fortigate cluster" , so you probably have 2 firewalls setup in a HA configuration, Active-Active, or other ? Do you use them as Internet proxy also (just curious)? Anything in the Collector agents logs ? I would say start with that and we' ll see. hoping it helps a little.
didier_caamano
New Contributor

Hello TechnoR05 You are right, perhaps I did not provide enough details, I' ll give more information, I hope it helps Both collector agents (CAs) are monitoring both DC Both CAs are part of the same SSO entry in FG, I created a entry called TEST_SSO_AD, and included both collector agents IPs there. Yes, I have two fg units 240D, they are in A-P cluster, ports 39 and 40 are configured as aggregate LACP to work as a trunk for all the vlans, and are connected to a stack of two switches on two different port-channels 10 and 11 with hashing mode 4 on the fg unit and 6 on the switches. I don' t have an internet proxy, I plan to use the FG cluster as a proxy, but I will not configure it until I make sure the SSO and the rule policies work flawlessly. I' m quite sure the A-P cluster with link aggregate is working as I follow this procedure in order to test the units. 1.- Configure A-P cluster and make sure it works 2.- Configured link aggregation on the FG cluster, configured port-channel on the stack of switches, port 39 and 40 of fg1 is connected using port-channel 10, and port 39 and 40 of fg2 connected using port-channel 11, I have made some connectivity test, simulating loss of service by shutting down one fg unit at a time or one switch of the stack at a time, and the connection from workstation to servers or to the fg units through browser stays alive. 3.- Install the collector agent on the server fca1 (Fortinet Collector Agent) and fca2 (both windows 2012), monitor both DCs and able to configure the group filter, in the group filter I add each FG serial number and the groups I want to monitor in both entries (one entry with fg1 serial number, another with fg2 serial number), sync between both Collector Agents and open the ports TCP 8000 and UDP 8002 in the CAs and DCs 4.- Connect the FG cluster to the collector agent, in SSO I created and entry called Test_SSO_AD and added both collector agent server IPS address and password and the FG connects, when I refresh the SSO page it shows the groups I previously configured in the collector agents. 5. Created rules based on SSO and try to access the servers from the test workstation and can access according to the rule I setup in the policy page. After step 5, every five to ten minutes I loose access, it is like the fg looses connection with the CAs or the CAs looses connection with the DCs, when I log off and log in again the access is there and I can resume my testings for another 5 to 10 minutes I checked the logs in one of the CA and no entry, although I did noticed in older entries connection failure with DCs. If you need anything else that you think might be helpful to track down the issue, please let me know. Thanks and I appreciate you time in reading and answering me. Have a good day.
TechnoR05
New Contributor III

Hello Didier, Like you say, everything works well for 5-10 minutes, so the basic setup itself must be ok, vlans, trunks, switches, A-P etc. We only use it as a proxy so functionnalities are not the same, but you lose nothing in checking the following, all on the Fortigates ; Under User & Device > Authentication > Settings, change the default value from 10 minutes to something like 60 for example, and retest Under Log & Report > Event log > User : do you have " User timed-out" (Bad), and/or " FSSO-logon event from Test_SSO_AD: user xxx logged on..." (Good) Maybe check also Log & Report >Trafic Log, both local and forward, and maybe also under User & Device > Monitor > Firewall, that the test user (you) is still there after disconnection, the Auth method. These are just places to look, again hoping it helps a little :) Richard
didier_caamano
New Contributor

Thanks for your idea, unfortunately I the problem persist, and the logs didn' t give any relevan tinformation, the weird thing is that when I first try to ping one server in a different network its respond twice and then stop responding. I remove the SSO rule and created firewall rule and the same behaviour, so I' m going back to the basics, 1 fortigate, one switch, no LACP and one collector agent and will take it from there.
Dipen
New Contributor III

Hi Please ensure " DNS Client" service is running on your workstations. Are your workstations in DHCP mode ? Whats the lease period ? Thanks & Regards

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

 

Ahead of the Threat. FCNSA v5 / FCNSP v5 Fortigate 1000C / 1000D / 1500D
didier_caamano
New Contributor

Hello Dipen, Unfortunately I haven' t have much time to troubleshoot this issue, been busy with ther things. The workstations get the IP from DHCP and the IP lease time is 8 hours
Alivo__FTNT
Staff
Staff

Hi, " I have set the values of Workstation verify interval and Dead entry timeout, on both collector agents, to 0 (zero), still the problem remains. " This would mean that Not Verified status is not the culprit here. Issue can be also caused by logon override by ie. service account such as sophos updater, antivirus, access to shared folder on AD server or any other service account. This can trigger logon event on AD and overwrite original logon of a user. When this happens, original user might lose internet access since the service account will not be in any monitored group. Try to identify such accounts and put them on ignore list on Collector Agent . Logons can be seen in Windows security eventlogs, Collector Agent log in debug.

livo

Fullmoon

same problems as yours. upgrade and use fsso ver 5.2.x

Fortigate Newbie

Fortigate Newbie
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors