Hello everybody, it is time to talk about Fortinet FSSO, not about the feature but about how to troubleshoot and I am going to explain “my” step-by-step guide.

In order to begin troubleshooting FSSO issues, we need to know if Collector Agent is connected or not. We can checked with the following commands:

# diagnose debug enable

# diagnose debug authd fsso server-status

NOTE: Of course we must check the software compatibility between Collector Agent version and FortiOS version… (see release notes).

• If the status is different for connected:

• Check If Collector Agent is running

• If Collector Agent is running:

• Execute “diagnose debug application authd 8256”:

1. "No route to host" ==> network issue.

2. "DNS cannot resolve workstation name" ==> DNS issue.

3. "Disconnecting or connection refused" ==> Check TCP ports 389, 3268, 8002 or packet capture.

4. "Server authentication failed" ==> Check Passwords.

• If Collector Agent is NOT running:

• Are socket open? ==> Netstat

• Check Collector Agent logs.

• If the status is connected:

• Group Checkings:

• If not appear groups:

• Check group filter on Collector Agent.

• If appear but not all of them:

• Check doc “Maximum Values” in https://docs.fortinet.com

• Are there logons on Fortigate?

• If not:

• DC Agents installed on all DC?

• Using LDAP Server? ==> Disable

• If yes:

• User IP is correct?

1. No ==> Check DNS

2. Yes:

• User belongs to correct groups/any recent group change?

• Disable group cache.

Let´s troubleshoot!!