Technical Tip: Hard Token error 'token already activated, and seed won't be returned'

This article describes the situation when hard tokens are showing an error status and how to fix it. 

In the CLI, it gives the following error:

diagnose fortitoken info
FORTITOKEN DRIFT STATUS
FTK200BAA0000000 0 token already activated, and seed won't be returned
FTK200BAA0000001 0 token already activated, and seed won't be returned

Total activated token: 21
Total global activated token: 21

Token server status: reachable

• Those Tokens need to be reset on the server side (Need to open a support ticket with TAC Support for that).
• Provide the FortiToken S/N  list for the FortiTokens that want to reset.
• At the Hardware page at the FortiGate, check all the Hard Tokens that are used by the end users in the account.
• Only the unassigned Hard Tokens can be deleted.
• The FortiTokens with the Serial Number Prefix FortiToken 200, FortiToken 210 and FortiToken 220 can be reset for TAC Support.
• The FortiTokens with Serial Number Prefix FortiToken 200CD and FortiToken 200BCD (with the serial number prefix FortiToken 211) are not supported.
• Those FortiTokens can be reset only with an activation file on the CD.
• Those models are distributed with a CD that contains encrypted data for the FortiToken to work.  Keep the CD protected and don't lose it.
• After resetting the tokens on the server side, they can be activated from User & Authentication -> FortiTokens page or the following command.

• It might take a few minutes to update.

execute fortitoken activate  FTK200BAA0000000
execute fortitoken activate  FTK200BAA0000001

Note:

There is a known issue (bug ID:1218458) affecting FortiOS v7.4.10, v7.4.11, v7.6.3 to v7.6.6 versions, where trying to activate the correct token gives 'cmdb save error', which is resolved in the later versions. As a workaround, seed file import can be used to activate the tokens(see Resolving CMDB save errors for hardware FortiToken).

Related article:
Technical Tip: FortiToken Basic Troubleshooting