- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FSSO randomly stop working?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FSSO randomly stop working?
Hello,
We have Fortigate 100D and we need all connections to be authenticated to AD. FSSO is setup by Fortinet SSO agent and agents are installed on all 3 domain controlers. In AD we made 4 groups and users are members of one of those groups and agent is setup to monitor those groups. In FTG we made group type FFSO and member for each group in FTG is related group in AD. Multiple policy has been made with varius settings of web/aplication/email fltering and service for each group.
And this setup works just fine. All users are authenticated, and going out by their policy. So everything is working as it should.
Until 2-3 days ago i got report from user that his internet is not working? Checked that user, really it is not. I cant even ping outside (every rule has enabled ping). I can get to fortigate, ping it just fine, but outside i cannot. I made one test rule with just that IP of user but without FSSO, works like charm. Disable/delete rule (so standard rule would apply with FSSO) not working.
Now interesting part. I checked log and i see that that specific machine is conneting to fortigate with no user information. Just IP. If i log off and log on (not even restart of machine), everything works as normal? Like it lost "token" of authentication with AD and with relog it acquire it again and everything works.
Now 2 days has passed, and more random users report same behavior. Totaly random. Some users never have this problem. Some happen every day, some every 3-4 hours, some clients are XP, some windows 7 or 8, or even 2008 R2 server.
AD is windows 2008 R2, FTG agent is installed on all 3 servers, working as it should, clients are mix of windows XP, W7, W8.
Memory on FTG is around 40%, never over 50%, disk is maybe 5%, and procesor is around 5-15% top. Firmware is v5.2.3,build670
Any toughts?
Thx!
Mario
Labels:
- Labels:
-
5.2
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So noone has any idea?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Mario,
we're currently facing an issue with the same error indicators. Since 4-5 weeks users lost their "internet connection" but internal traffic is not affected.
The issue pertains either normal desktop pc user as users working via terminal server.
Did you made any progress resolving the issue?
We're using a Fortigate 200D Cluster with 5.0.11
Best regards,
Tim
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Anyone found solution for this issues.
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any Update !!!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Mcuric, maybe you noticed that for example: Try to suppose that the work time in this scenario is commercial, i mean, 08:00 - 18:00.
When users arrive at work and make their logon, obviously the sessions will be opened in FortiGate, to allow users browser through FSSO. Please verify if the "lost of connectivity" problem happens around 16:00 - 17:00.
So, is the "no user" identity N/A or "Guest"?
If that's the case there, it means that approximately each 8 hours, the sessions are been killed by FortiGate. In this case is one parameter that should be set according to your firm profile.
If yo're using FSSO in Polling Mode, just run these commands:
# config user fsso-polling # edit <ID> # set logon-history <int> (0 - 48, default is 8(Time that the session are valid before expire), 0 means you will keep the history of sessions as long the FortiGate still running, and in this case, you must choose this option.) # end
Hope that works!.
Cordially,
- Pedro Panizzon
Cordially,
- Pedro Panizzon
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the exact same issue as mcuric. Some users randomly lose the ability to authenticate to FSSO. They will no longer be allowed through policies which users are identified with FSSO. A reboot fixes the issue. Anyone else having this issue?
PS - I don't use 'polling mode' so i don't believe what Pedro Pannizon described will help me.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are a school district and we are also having this issue. We noticed that this started after the last update and were wondering if anyone else had just updated? also being a school district we don't want the user to be remembered since students change every hour.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update: After some troubleshooting we have noticed one of our domain controllers did not have the FSSO dc-agent.dll installed. None of the user logon/authentication events were being collected from that domain controller. We have 5 domain controllers and with one not having the FSSO dc-agent, users had a 20% failure rate. We believe this solved our issue.
Also, we have noticed when our IT staff uses remote tools to log into user computers to troubleshoot we experience issues with FSSO. I assume this is a common issue. The IT staff's successful authentication from a users IP will change the FSSO group membership. We are investigating putting the IT users into the 'ignore users' list on the collector. We are still ironing those details out.
Related Posts
Labels
-
FortiGate
6,453 -
FortiClient
1,289 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
67 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.