Skip to main content
desaia
Staff
desaia
Staff
June 25, 2025

Troubleshooting Tip: Unable to login to the SSL VPN/IPsec VPN using 2FA for new users

  • June 25, 2025
  • 0 replies
  • 1000 views

Description

This article describes how to handle a scenario where the user is unable to connect to the SSL VPN/IPsec VPN using 2FA when FortiTokens are assigned.

Scope

FortiGate, FortiToken Mobile.

Solution

When checking the SSL VPN/IKE debugs, the logs will show 'Token check failed' even though the user is authenticated successfully using RADIUS/LDAP:


2025-06-24 12:55:03 [2354] handle_req-Token check failed, result -30113
2025-06-24 12:55:03 [755] __ldap_destroy-
2025-06-24 12:55:03 2025-06-24 12:55:03 [3431:root:bee]2025-06-24 12:55:03 [755] __ldap_destroy-
fam_auth_proc_resp:1371 fnbam_auth_update_result return: 1 (invalue username/password)
2025-06-24 12:55:03 [755] __ldap_destroy-
2025-06-24 12:55:03 2025-06-24 12:55:03 [3431:root:bee][fam_auth_proc_resp:1472] Authenticated groups (22) by FNBAM with auth_type (16):
2025-06-24 12:55:03 [1086] fnbamd_ext_idps_destroy-
.
2025-06-24 12:55:03 [3431:root:bee]login_failed:405 user[test.user],auth_type=16 failed [sslvpn_login_permission_denied]


'Token check failed' usually indicates the FortiToken is not activated.

 

  • The output of the FortiToken shows the status as 'Provisioning' instead of 'Provisioned'.


diagnose fortitoken info

FORTITOKEN DRIFT STATUS
FTKMOBXXXXXXXXXX 0 Provisioning <----- This should be 'Provisioned'.

 

  • Deactivation and assignment of another FortiToken to the user fixes this problem.

To deactivate a FortiToken for the user, see this document: Deactivating a FortiToken.

To assign FortiToken to a user:

2.jpg

 

To assign FortiToken to a local user via CLI:


config user local
    edit test_user  <----- Set username.
        set passwd test1243 <----- Set a strong user password.
        set two-factor fortitoken
        set fortitoken FTKMOBXXXXXXXXXX   <----- Hit tab, the available token will populate.
        set email-to test_user@test.org   <----- Enter user email.
        set status enable
end

 

Note: For IPsec dial-up VPN connections, if a token is reassigned to a user and authentication issues persist (e.g., intermittent connection or failed login), it is recommended to increase the authentication/negotiation timeout. This allows remote users sufficient time to enter the one-time password (OTP) during the authentication process: Technical Tip: Adjusting IPsec negotiation timeout.

Related article:

Technical Tip: Correctly configuring Two-Factor Authentication for LDAP users using SSL VPN

Terms & ConditionsAccessibility statement