The diagnose debug authd fsso server command is the primary tool for troubleshooting communication between the FortiGate and the FSSO Collector Agent. This debug output reveals the status of the connection and the reasons for failure. The three most common connectivity issues identified by this debug are:
FortiGate cannot reach the IP address of the collector agent (Option C): The debug will show connection timeouts or " host unreachable " errors if the Layer 3 connectivity is missing.
The connection was refused / Port mismatch (Option B): If the FortiGate can reach the IP but the Collector Agent is not listening on the specified port (default 8000), the debug will display " Connection refused. " This often happens if the port configured on the FortiGate does not match the listening port on the agent.
The pre-shared key does not match (Option D): If the IP and Port are correct, the next step is authentication. If the password configured on the FortiGate does not match the one on the Collector Agent, the debug will explicitly show an " Authentication failed " or " password mismatch " error during the handshake.
Note on other options: Option A (SSL) is less common than basic connectivity/auth mismatches. Option E (Group filters) relates to user processing logic, which occurs after connectivity is established.
[Reference:, FortiGate Security 7.6 Study Guide (FSSO Troubleshooting): "Troubleshooting FSSO... Check connectivity (IP/Port) and authentication (Password).", , , ]
Submit