Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aguerriero
Contributor II

ZTNA Forticlient authentication popup just counts down to zero.

8ac04bb8-80db-41ed-8682-ebf6f492faa9.PNG

Does anyone ever get a popup that just counts down and to nothing and you cannot connect to any ztna destinations. I normally get the popup once, do my SAML authentication, along with MFA against the fortiauthenticator. Then everything works and I am good. Occasionally i get this timer that just counts down until 0.

5 REPLIES 5
aguerriero
Contributor II

This time I had to actually reboot the primary fortigate in the ha pair. once the secondary took over everything worked again.

aguerriero
Contributor II

Fortigate 1500D 7.2.5
ems 7.2.1
forticlient 7.2.1

I think it has something to do with user group timeouts and something with wad users. "diag wad user list" shows that it doesn't expire but I have the saml authentication timeout set at 960 in both the fortiauthenticator and in the user group settings on the fortigate for my SAML group.

I got into the fortigate and did a "diag wad user clear ID IP VDOM" and then was immediately able to connect again. How do I set the user sessions to expire either on idle or the user closes their last ZTNA session? 

Capturefdafdafdafdasdfafa.PNG

tino_p
aguerriero

This problem is back again.

We had since updated to 7.2.8 and Forticlient version 7.2.3.0929. Everything was working great for a couple months and we are getting these stuck sessions that need to be manually cleard to connect again. Is there someway to let these sessions timeout or be overridden so the session can establish again?

lorenma
New Contributor

Do you see your traffic in the ztna logs ? Not forward traffic but ztna traffic? Your traffic if its being correctly proxyied it should appear in the ztna logs. Does the internet facing interface has a public ip or private? If private then add a secondary ip with the public ip 111.112.113.114 ? If it already has a public ip try TCP forwarding instead of HTTPS access proxy see if it works as it will do the same thing at the end

VidMate
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors