FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mturic
Staff
Staff
Article Id 197910
Description
This article describes how to troubleshoot FSSO TS Agent when 'website showing no 'username on block page' appears.

Solution
Let the user login into the terminal server.

- Open TS Agent configuration: select logging to Debug (use server Admin account).
- Let end user login into the terminal server and initiate web traffic.

Verify the user login information can be seen on Collector Agent.

On Terminal Server debug logs, check for user related events.


- Sample user information looks like this:

Session 5 is allocated to the User xxxxx and port range is: 2224-2423.
01-02-2020 09:45:48 [0000112c] session ID:5, username: xxxxx, domain: fortinet
01-02-2020 09:45:48 [0000112c] session ID:5 has added to session table
01-02-2020    45:48 [0000112c] succeeded to allocate port range 2224-2423 for session 5
Successfully allocated Src port log (the allocated port has to be within the allocated range) for the customer traffic.
CDriver allocate port 2224 for request 10440 of session 5 protocol 6, time:15
Session 5                              <----- The user session ID.
Port 2224                              <----- In the range of allocated port range.
Allocate port                          <----- TS agent is successfully allocated the port for request.
Port range for request.

Note.
Session ID - 0 is used for system resources.

If all the allocated ports are exhausted, then we should be able to see the below log.
Cdriver failed to allocate port for request 10410 of session 5 protocol 6, time:0
Session 5                              <----- The user session ID.
Port                                   <----- No port available in the port range for session 5.
Verify the login details on the FortiGate.

Verify if the logon is pulled from the FSSO by the FortiGate.
# diag firewall auth list | grep -i michael -A 7
10.0.53.7, Michael
type: fsso_citrix, id: 4, duration: 63444, idled: 63444
server: Fortinet_FSSO_Access_List
packets: in 0 out 0, bytes: in 0 out 0
group_id: 8
group_name: Fortinet_FSSO_All_Users
port_range: (2224-2423)
For TS-Agent, the source port is important and it is necessary to verify from which source port the traffic was sent. This can be done by a packet capture on the FortiGate.
# diagnose sniffer packet any 'host <web server IP>' 4
Note: In case of explicit proxy the webserver IP will not help on the sniffer to show the terminal servers source port. Use a more broad filter for the terminal server instead.
# diagnose sniffer packet any 'host <terminal server IP>' 4
Verify the sessions list for user’s session.
# diagnose sys session filter dst <webserver ip>
# diagnose sys session list
If src_port is different than the allocated port range in the packet capture and session list, the TS-Agent log needs to be checked along with which process uses that specific source port range that is assigned to the user.

Terminal Server.

Use below command in CMD or Power Shell to get output:

Get-NetTCPConnection | sort-object owningprocess






From the above screenshot:

Scr_ip: 10.5.10.24
Src_port: 50777         <-----
Dst_ip: 185.48.81.79
Dst_port: 80
Go to Task manager -> Services, check the PID found earlier and identify the application by description.





If the application is other than TS Agent, then Shutdown that service and verify the reported issue. (no username in the block page).

Contributors