Troubleshooting Tip: Issue with mobile FortiToken assigned in FortiGate HA cluster.

Description

This article describes an issue related to the assignment of mobile FortiTokens when the license is mapped on one FortiGate, but the primary is the other FortiGate.

Scope

FortiOS v7.2.13, v7.4.9.

Solution

For example, the mobile FortiTokens license is mapped to FortiGate with Serial Number: FGT100FXXXXXXXX1, but the Primary FortiGate in the HA cluster is the FortiGate with Serial Number: FGT100FXXXXXXXX2. In this case, when running the below debug commands, only FortiGate with Serial Number: FGT100FXXXXXXXX2 is sending information to FortiGuard, instead of both Serial Numbers. For this reason, the token assignment is aborted.

diagnose debug disable
diagnose debug reset
diagnose debug application forticldd -1
diagnose fortitoken debug enable
diagnose debug enable

{"d":{"__type":"SoftToken.PollingResponse","__version":"4","serial_number":
"FGT100FXXXXXXXX2","__device_version":"7.0","__device_build":"1761","__clustered_sns":
[{"sn":"FGT100FXXXXXXXX2","error":null}],"tokens":[{"token":"FTKMOBYYYYYYYYYYY",
"license":null,"state":null,"error":{"error_code":31,"error_message":"token does not 
belong to product"}}],"result":0,"error":{"error_code":17,"error_message":"no valid 
token found"}}} 2025-11-06 15:39:49 ftm_fc_command[611]:received error from forticare 
[-7567]

This issue is fixed in FortiOS v7.4.10, v7.6.7, and v8.0.0.