Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jaydee
New Contributor

FSSO/authd issues

I have a 300C cluster in active-active config running 5.2.13

 

AT one stage, my CPU usage constantly stays at 99%, rarely dropping. This was for about 2 years.

I tried firmware upgrades from 5.2.2 -> 5.2.9 ->5.2.13. Nothing worked.

I checked the CPU usage via cli and saw authd taking up more that 50-60% . In total my usage was 99%.

I unticked NTLM authentication on the 3 FSSO Agents. No effect.

I ran some commands under config user setting;

     I increased auth-blackout-time  to 300 -> that helped to bring the CPU usage down to around 50-70% total BUT I still experience the 2nd issue. NOT all my domain users are granted internet access even though they are listed in the FSSO Agent logon users list AND on FortiGate under the users passed to FortiGate by the FSSO Agent. I have 3 DCs and FSSO Agent on all of them in sync, FSSO Agents running with DC-Agents and Advanced Directory Access mode.

 

They exhibit the same behavior, they cannot access the authentication portal on port 1000/1003 even though they can telnet the FortiGate IP on that port. Just throws up a Page Cannot be displayed error. Some I get to work by releasing/renewing their IP via IP config command. Some eventually brings up the authentication page after a long time. Others just refuse. I noticed that if the affected user logs onto another domain machine, everything is fine BUT if any user tried to login the affected machine, they experience the same issue.

 

I logged a ticket with Fortinet Support but they couldn't assist me:

They said I must upgrade to Firmware 5.2.15, I am not sure that will help as they didn't checked for the FSSO issues, as high CPU usage by authd clearly shows that the issue might be related to FSSO. My point is, this issue remained over 3 different firmware versions, what guarantee will I have it being fixed in the latest one. I think my FSSO config might be the issue.

 

1 REPLY 1
xsilver_FTNT
Staff
Staff

Hi,

if you state you do have FSSO working then why do you mix passive auth via FSSO with active authentication via NTLM ? Ports 1000/1003 are used by FGT as destination where to redirect client (portal) for active authentication. Redirect also contain additional parameters to identify and distinguish between sessions. It is not expected to be used directly.

Maybe check your auth setup and simplify it if possible.

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Labels
Top Kudoed Authors