Configuring the FSSO timeout when the collector agent connection fails

The logon-timeout option is used to manage how long authenticated FSSO users on the FortiGate will remain on the list of authenticated FSSO users when a network connection to the collector agent is lost.

config user fsso
    edit <name>
        set server <string>
        set password <string>
        set logon-timeout <integer>
    next
end

logon-timeout <integer>

Enter the interval to keep logons after the FSSO server is down, in minutes (1 - 2880, default = 5).

Example

In this example, the logon timeout is set for four minutes.

To configure the FSSO logon timeout:
  1. Set the timeout value:
    config user fsso
        edit "ad"
            set server "10.1.100.141"
            set password ********
            set logon-timeout 4
        next
    end
  2. Log on to a PC with a valid FSSO user account.
  3. Enable real-time debugging and check for authd polling collector agent information. During this time, the connection to the collector agent is lost:
    # diagnose debug enable 
    # diagnose debug application authd -1
    # diagnose debug application fssod -1 				
    021-06-10 16:20:41 authd_timer_run: 2 expired
    2021-06-10 16:20:41 authd_epoll_work: timeout 39970
    2021-06-10 16:20:46 fsae_io_ctx_process_msg[ad]: received heartbeat 100031
    2021-06-10 16:20:46 authd_epoll_work: timeout 1690
    2021-06-10 16:20:47 authd_timer_run: 1 expired
    2021-06-10 16:20:47 authd_epoll_work: timeout 39990
    2021-06-10 16:20:56 fsae_io_ctx_process_msg[ad]: received heartbeat 100032
    2021-06-10 16:20:56 authd_epoll_work: timeout 31550
    2021-06-10 16:21:00 _event_error[ad]: error occurred in epoll_in: Success
    2021-06-10 16:21:00 disconnect_server_only[ad]: disconnecting
    2021-06-10 16:21:00 authd_timer_run: 1 expired
    2021-06-10 16:21:00 authd_epoll_work: timeout 9620
  4. After about three minutes, check that the FSSO user is still in the list of authenticated users and can connect to the internet:
    # diagnose firewall auth l
    10.1.100.188, TEST1
            type: fsso, id: 0, duration: 229, idled: 229
            server: ad
            packets: in 0 out 0, bytes: in 0 out 0
            user_id: 16777219
            group_id: 3 33554433
            group_name: ad CN=GROUP1,OU=TESTING,DC=FORTINET-FSSO,DC=COM
    
    ----- 1 listed, 0 filtered ------
  5. After four minutes, check the debugs again. Note that the FSSO users are cleared:
    ...
    2021-06-10 16:24:57 authd_timer_run: 3 expired
    2021-06-10 16:24:57 authd_epoll_work: timeout 60000
    2021-06-10 16:24:59 [fsae_db_logoff:248]: vfid 0, ip 10.1.100.188, id(0), port_range_sz(0)  
    2021-06-10 16:24:59 [authd_fp_notify_logoff:444]: vfid 0, ip 10.1.100.188, id 0
    2021-06-10 16:24:59 [authd_fp_on_user_logoff:412]: vfid 0, ip 10.1.100.188
    2021-06-10 16:24:59 [authd_fp_on_user_logoff:412]: vfid 0, ip 10.1.100.188
    2021-06-10 16:24:59 [auth