Technical Note : FSAE Troubleshooting Guide
Products
FortiGate
Description
This article provides troubleshooting steps that can be used when encountering FSAE problems. It is assumed the initial setup of FSAE has been completed.

The FSAE installation guide can be found on the Fortinet documentation site
Solution
Overview

The following chart shows an overview of the troubleshooting process :

Note: "CA" in this article refers to the Collector agent.





Branch Point 1: Is the FortiGate unit connected to the collector agent ?

The first requirement is the connection from the FortiGate unit to the collector agent. The best way to verify the connectivity is by running the following CLI commands:

diagnose debug enable
diagnose debug authd fsae server-status

If the collector agent is not connected, proceed to branch point 2. otherwise go to the "Group Check" section

Branch Point 2: Is the Collector Agent running ?

Opening the collector agent configuration interface displays the status of the collector agent service. You can also check by going to Administrative Tools > Services > Check the 'Fortinet Server Authentication Extention' Service.

If the Collector agent is not running, go to section "Collector agent not running". Otherwise, proceed to section "Collector Agent running but not connected".

Section 1: Collector agent not running



Steps to follow :

1.1. - Check if the collector agent is using a domain administrator account :  go to Administrative Tools > Services > Check the 'Fortinet Server Authentication Extention' Service. If it is not using a domain administrator account, please change the account.

1.2. - If another application is using the ports used by FSAE (ports 8000 and 8002 by default) the service will not start. This can be viewed in the collector agent logs. The related article "Troubleshooting Tip : Port conflict issues giving FSAE Collector Agent stopped message" provides additional information.

1.3. - Finally, checking the collector agent logs will show any other errors that are preventing the collector agent from starting.

Section 2: Collector Agent running but not connected



Steps description :

2.1 - A common problem is the password mismatch between the FortiGate and the collector agent. Reset the password between the two devices. The password is set on the main page on the Collector agent and on the FortiGate unit by going to User > Directory Service > Edit FSAE connector > Password.

2.2 - Another reason for the FortiGate unit not being able to connect to the collector agent is that a Firewall (host firewall or network firewall) is blocking the FSAE TCP port 8000. Make sure nothing is blocking the traffic between the FortiGate and the collector agent.

2.3 - A  sniffer trace can be gathered on the FortiGate and the collector agent. The following command will start capturing traffic on the FortiGate :

   diagnose sniff packet any 'host <collector agent IP address> and port 8000' 4

2.4 - You can also check the FSAE process debug output on the FortiGate by using the commands:

diagnose debug enable
diagnose debug application authd 8256

Section 3: Group Check




Steps description :

3.1 - If you are not seeing the groups on the collector agent, check the collector agent groups using "group filter". Verify the groups configuration.

3.2 - Verify if the groups on the FortiGate unit and the collector agent are using the same mode. More on FSAE modes can be found in the  article "FSAE Windows Directory Access Methods - Standard versus Advanced" (see the related articles section below)

3.3 - Proceed to branch point 3

Branch Point 3: Are you seeing logon events on the FortiGate unit ?

The FortiGate unit will need to see the logon event when the user logs in to his PC. You can check if the FortiGate unit is receiving logon events by running the commands:

diagnose debug enable
diagnose debug authd fsae list

If you see ANY users logged in, proceed to branch point 4. Otherwise proceed to section "Not seeing logon events".

Section 4: Not seeing logon events




Steps description :

4.1 - Make sure the DC agent is installed on ALL domain controllers. If you have any problems pushing out the DC agent, you can refer to article "Troubleshooting FSAE DC agent installation problems" for more info (See related articles). To confirm that the DC agent is installed, you can refer to article "Where is DCagent service" in the related articles.

4.2 - If you have configured an LDAP server on the FSAE connector (on the FortiGate unit go to User > Directory Service > Edit FSAE connector > LDAP). You should try to disable it and running the commands from branch point 3 again. An incorrectly configured LDAP server is a common cause for not seeing the logon events on the FortiGate unit.

4.3 - If this does not resolve the issue, open a support ticket.

Branch Point 4: Is the test user show up in the FSAE list ?

Focusing on a single test user will help for further troubleshooting. Information to collect about the "test"  user :
  1. Account username of the user currently logged in.
  2. IP address of the test host. You can run 'ipconfig' to get the IP of the host.
  3. Host DNS name. You can run the command 'hostname' to get the host name.
  4. Logon server name: This is the domain controller that the host used to authenticate. You can get this info by running the command 'echo %logonserver%'.
Once all info about the test host are gathered, you can run the following commands on the FortiGate unit:

diagnose debug enable
diagnose debug authd fsae list

If the user appears on the list, proceed to section "User in FSAE list", otherwise proceed to section "User not in FSAE list".

Section 5: User in FSAE list




Steps description :

5.1 - If the user is on the list but has an incorrect IP you will need to check the DNS settings on your DNS server. A common problem is with multi-homed hosts (i.e. hosts with more than one network interface). A multi-homed host may resolve host name to the IP address of one interface while send traffic out another. The FortiGate will receive traffic from the IP of the other interface and think the host is not authenticated.

5.2 - If the user does have the correct IP but not the correct groups you should disable group caching on the collector agent. More on group caching as well as how to disable this feature can be found on "New Feature in FSAE build 42 and later (Group caching)" (see related articles below).

5.3 - If the username, IP and groups are all correct but the user is still not able to access the Internet, the issue may be due to a Firewall Policy setting. Please check also the article "Only the first authenticated group allowed through policy" (see related articles below).

Section 6: User not in FSAE list




Steps description :

6.1 - Check the IP address of the host. If the IP is listed with the username of a service account, the service account is generating a logon event and is overriding the user's logon. A good article on this issue is "Windows application forces to log-off the current user on FSAE and access through the FortiGate is blocked" (see related articles below).

6.2 - If the user recently moved to a new group try disabling group caching. More on group caching as well as how to disable this feature can be found on "New Feature in FSAE build 42 and later (Group caching)" (see related articles below).

6.3 - Make sure the log level is set to "information". Start at the end of the file and search backwards for the IP of the test host. If not found search for the username of the test host. If still not found search for the hostname of the test host. If you found the host in any of the searches proceed to subsection A, otherwise proceed to subsection B.

Subsection A: User found in collector agent logs

Steps description :

6.A.1 Check if there are any DNS errors in the collector agent for the host name. These include the collector agent unable to resolve the host name at all or resolving to an incorrect IP. Either way you will need to check the DNS server.
6.A.2 If the collector agent logs show that the host timed out, the collector agent was not able to connect to the host on port 139 & 445 to verify the user. Please check also the related article  "User status "Not Verified" on the collector agent " (See related articles below).
6.A.3 If all above have failed, please open a support ticket

Subsection B: User not found in collector agent logs

If the user is not in the collector agent logs, the logon event was probably not sent by the DC agent. Check which domain controller authenticated the host (run 'echo %logonserver%' on the host) and troubleshoot that domain controller

Make sure the DC is installed on the domain controller. If it is not, install the DC agent (if you are having problems you can refer to article "Troubleshooting FSAE DC agent installation problems" in the related article section below). If the DC agent is installed, enable logging on the DC agent and check if there are any errors in the DC agent logs.
Related Articles
Technical Note : Windows application forces to log-off the current user on FSAE and access through the FortiGate is blocked
FSAE Windows Directory Access Methods - Standard versus Advanced
Troubleshooting FSAE DC agent installation problems
Troubleshooting Note : User status "Not Verified" on the collector agent
Technical Note : Only the first authenticated group is allowed through a FortiGate firewall policy
Troubleshooting Tip : Port conflict issues giving FSAE Collector Agent stopped message
Technical Tip : FSAE - How to locate the DCagent service ?
Last Modified Date: 07-21-2011 Document ID: FD31819