# Troubleshooting FSSO Agent Install

<div id="bkmrk-description-this-art"><table width="100%"><tbody><tr><td width="19.28934010152284%"><span>Description</span></td><td width="80.71065989847716%"><span>This article describes why Fortinet Single Sign-On (FSSO) stops working after upgrading to FSSO Collector Agent 5.0.0290.</span>

</td></tr><tr><td width="19.28934010152284%"><span>Scope</span></td><td width="80.71065989847716%"><span>FortiGate, FSSO, Collector Agent</span></td></tr><tr><td width="19.28934010152284%"><span>Solution</span></td><td width="80.71065989847716%"><span>It has been noticed Fortinet Single Sign-On Agent service appears to be stopped, however, when trying to restart the service, it stops again shortly after.</span>

<span>If it is verified the FSSO CA debug logs, an error 'cannot bind to UDP socket' can be found.</span>

<span><span class="lia-inline-image-display-wrapper lia-image-align-center"><span class="lia-message-image-wrapper lia-message-image-actions-narrow lia-message-image-actions-below">![pkavin_0-1648224302059.png](https://community.fortinet.com/t5/image/serverpage/image-id/5477i0C99275E5C572DF6/image-size/medium/is-moderation-mode/true?v=v2&px=400 "pkavin_0-1648224302059.png")</span></span></span><span>Starting FSSO Collector Agent build 5.0.0290, the FSSO Collector Agent includes a Syslog service that runs on UDP port 514.</span>

<span>If UDP port 514 is already in use by another application/service/server on the Windows machine running the FSSO Collector Agent, this error while running FSSO - 'cannot bind to UDP socket' can be seen.</span>

<span>To verify the same, open command prompt, run as administrator.</span>

<span>Enter command *‘netstat –abo*’, this will show Active Connections along with the listening port number.</span>

<span>On FSSO Agent build 5.0.0290 and later, under **Advanced Settings -&gt; Syslog source list -&gt; Uncheck *'*Enable this feature*****'**,* since it is also using port 514.</span>

<span>After disabling the FSSO Collector Agent’s Syslog functionality, the FSSO Collector Agent should start successfully.</span>

<span><span class="lia-inline-image-display-wrapper lia-image-align-center"><span class="lia-message-image-wrapper lia-message-image-actions-narrow lia-message-image-actions-below">![pkavin_1-1648224448922.png](https://community.fortinet.com/t5/image/serverpage/image-id/5478i554A546075DFA1FE/image-size/medium/is-moderation-mode/true?v=v2&px=400 "pkavin_1-1648224448922.png")</span></span></span>

</td></tr></tbody></table>

</div><div id="bkmrk-">  
</div>**Description**

This article describes why FortiGate cannot connect to FSSO Agent on Windows server 2019 and how to resolve the issue.

**Scope**

FortiGate v7.2.1, FSSO Collector Agent.

**Solution**

As an example in this article, an External Connector on FortiGate 7.2.1 has been configured using an FSSO Agent on a Windows AD connector.

<span class="lia-inline-image-display-wrapper lia-image-align-center"><span class="lia-message-image-wrapper lia-message-image-actions-narrow lia-message-image-actions-below">![matanaskovic_0-1660919587463.png](https://community.fortinet.com/t5/image/serverpage/image-id/10639i98C528D537EA3B68/image-dimensions/625x290/is-moderation-mode/true?v=v2 "matanaskovic_0-1660919587463.png")</span></span>

The configuration was working, but suddenly FSSO communication between FortiGate and FSSO Collector Agent 5.0.0306 has stopped.

FortiGate connects to the Collector Agent by default via port TCP/8000. Verify the Collector Agent is listening on port TCP/8000 in the Windows Firewall.

<span class="lia-inline-image-display-wrapper lia-image-align-center"><span class="lia-message-image-wrapper lia-message-image-actions-narrow lia-message-image-actions-below">![matanaskovic_1-1660919620231.png](https://community.fortinet.com/t5/image/serverpage/image-id/10640i5178C9DC8B9745EB/image-dimensions/617x100/is-moderation-mode/true?v=v2 "matanaskovic_1-1660919620231.png")</span></span>

<span class="lia-inline-image-display-wrapper lia-image-align-center"><span class="lia-message-image-wrapper lia-message-image-actions-narrow lia-message-image-actions-below">![matanaskovic_2-1660919636954.png](https://community.fortinet.com/t5/image/serverpage/image-id/10641iEEAC8004FF6C4776/image-dimensions/608x82/is-moderation-mode/true?v=v2 "matanaskovic_2-1660919636954.png")</span></span>

From FortiGate, double-check to see if the FSSO CA is listening and to additionally verify that it is connected using telnet connection:

<span class="lia-inline-image-display-wrapper lia-image-align-center"><span class="lia-message-image-wrapper lia-message-image-actions-narrow lia-message-image-actions-below">![matanaskovic_3-1660919668489.png](https://community.fortinet.com/t5/image/serverpage/image-id/10642i554BD245DB9ADCE7/image-dimensions/605x164/is-moderation-mode/true?v=v2 "matanaskovic_3-1660919668489.png")</span></span>

Using debug command for verifying FSSO server status, 'waiting for retry' can still be seen as the Connection Status.

<span class="lia-inline-image-display-wrapper lia-image-align-center"><span class="lia-message-image-wrapper lia-message-image-actions-narrow lia-message-image-actions-below">![matanaskovic_4-1660919694805.png](https://community.fortinet.com/t5/image/serverpage/image-id/10643i94F0199583F8E012/image-dimensions/602x158/is-moderation-mode/true?v=v2 "matanaskovic_4-1660919694805.png")</span></span>

- commands in picture
- diagnose debug enable
- diagnose debug authd fsso server-status

For further troubleshooting FSSO CA on Windows server, run the following debug application authd command.

<span>**diagnose debug application authd -1**  
Debug messages will be on for 30 minutes.  
photon-kvm12 (root) # **diagnose debug enable**  
photon-kvm12 (root) # authd\_timer\_run: 2 expired  
authd\_epoll\_work: timeout 5000  
authd\_timer\_run: 1 expired  
authd\_epoll\_work: timeout 990  
authd\_timer\_run: 1 expired  
authd\_epoll\_work: timeout 10000  
authd\_epoll\_work: timeout 10000  
Server challenge:  
 f9 57 20 05 7a 00 6d 50 42 7b a5 48 02 5d cf 37  
MD5 response:  
 d5 08 03 a2 66 f1 ad 2b 0c 9a 6f 9b a5 d1 e9 1c  
authd\_epoll\_work: timeout 9990  
**\_process\_auth\[FSSO-Collector Agent\]: server authentication failed, aborting**  
**disconnect\_server\_only\[FSSO-Collector Agent\]: disconnecting**  
authd\_epoll\_work: timeout 9990  
diag deb disaauthd\_timer\_run: 1 expired  
authd\_epoll\_work: timeout 9980  
authd\_epoll\_work: timeout 9980  
Server challenge:</span>

<span> 19 58 fc 28 4b 3a 66 7c 2c 0e 09 62 96 56 76 45  
MD5 response:</span>

<span> 73 b5 03 1b b8 64 21 c8 82 7e 8d 10 e6 2b c3 99</span>  
<span>authd\_epoll\_work: timeout 9970</span>  
<span>**\_process\_auth\[FSSO-Collector Agent\]: server authentication failed, aborting**</span>  
<span>**disconnect\_server\_only\[FSSO-Collector Agent\]: disconnecting**</span>  
<span>authd\_epoll\_work: timeout 9960</span>

After trying to re-enter or change the FSSO Agent password that is in use for communication between FortiGate and FSSO Collector Agent, finally communication is established.

Make sure the password is less than 15 characters. The FSSO collector agent can only accept passwords up to 15 characters in length.

The status will then show as 'Connected' and will be possible to verify once again using a debug command.

<span class="lia-inline-image-display-wrapper lia-image-align-center"><span class="lia-message-image-wrapper">![matanaskovic_0-1661436846730.png](https://community.fortinet.com/t5/image/serverpage/image-id/10936iF9EB1586C6B052E6/image-dimensions/629x333/is-moderation-mode/true?v=v2 "matanaskovic_0-1661436846730.png")</span></span>

<span class="lia-inline-image-display-wrapper lia-image-align-center"><span class="lia-message-image-wrapper">![matanaskovic_5-1660919765998.png](https://community.fortinet.com/t5/image/serverpage/image-id/10644i274C45C214CB14A9/image-dimensions/627x158/is-moderation-mode/true?v=v2 "matanaskovic_5-1660919765998.png")</span></span>

Identify the user account used to run the Fortinet Single Sign On process service and validate the permissions of the user account, it must belong to Administrators and/or Domain Admins groups:

<span class="lia-inline-image-display-wrapper lia-image-align-center"><span class="lia-message-image-wrapper lia-message-image-actions-narrow lia-message-image-actions-below">![admin account credentials.png](https://community.fortinet.com/t5/image/serverpage/image-id/37993iA747173AFFD1C490/image-size/large/is-moderation-mode/true?v=v2&px=999 "admin account credentials.png")</span></span>

<span class="lia-inline-image-display-wrapper lia-image-align-center"><span class="lia-message-image-wrapper">![the account should be admin or in admin group.png](https://community.fortinet.com/t5/image/serverpage/image-id/37994i66BC0CEC1156AE78/image-size/large/is-moderation-mode/true?v=v2&px=999 "the account should be admin or in admin group.png")</span></span>

If it still does not work after confirming that the password is the same on both FortiGate and the Collector agent, try to uninstall and reinstall the Collector agent.

To uninstall the collector agent in Windows, go to **Add or Remove programs** under **System Settings**. Find the FSSO Collector agent and uninstall it.

To reinstall the collector agent, refer to [Technical Tip: How to install the FSSO Collector Agent](https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-install-the-FSSO-Collector-Agent/ta-p/252983).

After it is installed again, configure the FSSO collector agent and try to connect it again to the FortiGate.

The status should then show as 'Connected'.