Description
Solution
Overview:
The following chart shows an overview of the troubleshooting process:
Note: 'CA' in this article refers to the Collector agent.
Branch Point 1: Is the FortiGate unit connected to the collector agent ?
The first requirement is the connection from the FortiGate unit to the collector agent.
The best way to verify the connectivity is by running the following CLI commands:
Branch Point 2: Is the Collector Agent running ?
Opening the collector agent configuration interface displays the status of the collector agent service.
Section 1: Collector agent not running.
1) - Check if the collector agent is using a domain administrator account : go to Administrative Tools -> Services -> Check the 'Fortinet Server Authentication Extention' Service.
If it is not using a domain administrator account, please change the account.
2) If another application is using the ports used by FSAE (ports 8000 and 8002 by default) the service will not start.
This can be viewed in the collector agent logs.
The related article 'Troubleshooting Tip : Port conflict issues giving FSAE Collector Agent stopped message' provides additional information.
3) Finally, checking the collector agent logs will show any other errors that are preventing the collector agent from starting.
Section 2: Collector Agent running but not connected.
1) A common problem is the password mismatch between the FortiGate and the collector agent. Reset the password between the two devices.
The password is set on the main page on the Collector agent and on the FortiGate unit by going to User -> Directory Service -> Edit FSAE connector -> Password.
2) Another reason for the FortiGate not being able to connect to the collector agent is that a Firewall (host firewall or network firewall) is blocking the FSAE TCP port 8000.
Make sure nothing is blocking the traffic between the FortiGate and the collector agent.
3) A sniffer trace can be gathered on the FortiGate and the collector agent.
The following command will start capturing traffic on the FortiGate :
# diagnose sniff packet any 'host <collector agent IP address> and port 8000'
4) It is also possible to check the FSAE process debug output on the FortiGate by using the commands:
# diagnose debug enable
# diagnose debug application authd 8256
Section 3: Group Check.
1) If the groups are not visible on the collector agent, check the collector agent groups using 'group filter'.
Verify the groups configuration.
2) Verify if the groups on the FortiGate and the collector agent are using the same mode.
More on FSAE modes can be found in the article 'FSAE Windows Directory Access Methods - Standard versus Advanced' (see the related articles section below).
3) Proceed to branch point 3.
Branch Point 3: Are you seeing logon events on the FortiGate ?
The FortiGate will need to see the logon event when the user logs in to this PC.
Section 4: Not seeing logon events.
1) Make sure the DC agent is installed on ALL domain controllers.
If there are any problems pushing out the DC agent, it is possible to refer to article 'Troubleshooting FSAE DC agent installation problems' for more info (See related articles).
To confirm that the DC agent is installed, it is possible to refer to article 'Where is DCagent service' in the related articles.
2) If an LDAP serve. has been configured on the FSAE connector (on the FortiGate go to User -> Directory Service -> Edit FSAE connector -> LDAP).
Try to disable it and running the commands from branch point 3 again.
An incorrectly configured LDAP server is a common cause for not seeing the logon events on the FortiGate.
3) If this does not resolve the issue, open a support ticket.
Branch Point 4: Is the test user show up in the FSAE list ?
Focusing on a single test user will help for further troubleshooting.
- Account username of the user currently logged in.
- IP address of the test host. It is possible to run 'ipconfig' to get the IP of the host.
- Host DNS name. It is possible to run the command 'hostname' to get the host name.
- Logon server name: This is the domain controller that the host used to authenticate. It is possible to get this info by running the command 'echo %logonserver%'.
Once all info about the test host are gathered, it is possible to run the following commands on the FortiGate:
Section 5: User in FSAE list.
1) If the user is on the list but has an incorrect IP, it will be necessary to check the DNS settings on the DNS server.
A common problem is with multi-homed hosts (i.e. hosts with more than one network interface).
A multi-homed host may resolve host name to the IP address of one interface while send traffic out another.
The FortiGate will receive traffic from the IP of the other interface and think the host is not authenticated.
2) If the user does have the correct IP but not the correct groups, it is necessary to disable group caching on the collector agent.
More on group caching as well as how to disable this feature can be found on 'New Feature in FSAE build 42 and later (Group caching)' (see related articles below).
3) If the username, IP and groups are all correct but the user is still not able to access the Internet, the issue may be due to a Firewall Policy setting.
Check also the article 'Only the first authenticated group allowed through policy' (see related articles below).
Section 6: User not in FSAE list.
1) Check the IP address of the host.
If the IP is listed with the username of a service account, the service account is generating a logon event and is overriding the user's logon.
A good article on this issue is 'Windows application forces to log-off the current user on FSAE and access through the FortiGate is blocked' (see related articles below).
2) If the user recently moved to a new group try disabling group caching.
More on group caching as well as how to disable this feature can be found on 'New Feature in FSAE build 42 and later (Group caching)' (see related articles below).
3) Make sure the log level is set to 'information'.
Start at the end of the file and search backwards for the IP of the test host.
If not found search for the username of the test host.
If still not found search for the hostname of the test host.
If the host is found in any of the searches proceed to subsection A, otherwise proceed to subsection B.
1) Check if there are any DNS errors in the collector agent for the host name.
These include the collector agent unable to resolve the host name at all or resolving to an incorrect IP.
Either way it will be necessary to check the DNS server.
2) If the collector agent logs show that the host timed out, the collector agent was not able to connect to the host on port 139 and 445 to verify the user.
Check also the related article 'User status ' Not Verified' on the collector agent ' (See related articles below).
3) If all above have failed, open a support ticket
Related Articles
Technical Tip: FSSO Windows Directory Access Methods - Standard versus Advanced Mode
Troubleshooting FSAE DC agent installation problems - INTERNAL
Troubleshooting Tip: User status 'Not Verified' on the FSSO Collector Agent
Technical Tip : FSAE - How to locate the DCagent service ?
Technical Note : Only the first authenticated group is allowed through a FortiGate firewall policy
Troubleshooting Tip : Port conflict issues giving FSAE Collector Agent stopped message
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.