General troubleshooting tips for FSSO

Chapter 3 Authentication for FortiOS 5.0 : Agent-based FSSO : Troubleshooting FSSO : General troubleshooting tips for FSSO

The following tips are useful in many FSSO troubleshooting situations.

• To help locate the problem, configure a sniffer policy to capture FSSO logon messages along with other information.

If FSSO is in use the log messages captured by a sniffer policy will include a user name if the IP address in the log message corresponds to the IP address if a user who has been authenticated with FSSO.

• Ensure all firewalls are allowing the FSSO required ports through.

FSSO has a number of required ports that must be allowed through all firewalls or connections will fail. These include: ports 139, 389 (LDAP), 445, 636 (LDAP) 8000, and 8002.

• Ensure the Collector agent has at least 64kbps bandwidth to the FortiGate unit.

If not the Collector agent does not have this amount of bandwidth, information FSSO information may not reach the FortiGate unit resulting in outages. The best solution is to configure traffic shaping between the FortiGate unit and the Collector agent to ensure that minimum bandwidth is always available.