Server unreachable error when user approves FortiToken on phone, new token temporarily solves this.

Not sure if it's a coincidence, but we tried to authorize through the OTP (6 digit code) and it seemed to work perfectly.

Hi @Riggie,

Can you try to refer to this article and see if you can found any error "https://community.fortinet.com/t5/FortiGate/Technical-Tip-Token-server-status-unreachable-appears-under-the/ta-p/255898"

Regards,
Minh

Hello, 

When the issue is occurring I would suggest you to run the debug command in this article to investigate it further.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Token-server-status-unreachable-appears-under-the/ta-p/255898

Thanks,
Pavan

We are experiencing the exact same issue in our environment.  We have a FortiGate 101F running 7.2.6.  Thankfully for the users who are affected, they are able to manually enter the 6 digit code from the FortiToken Mobile App to authenticate.  We had been reassigning new tokens to get around it, and it worked for a few users, but now that no longer works.  Seems like once a token has been assigned to anyone previously it will no longer be able to connect to the authentication server if you reassign it to someone else, even though the token status indicates all is OK.

To be clear, the token provisioning process is working fine, the token status successfully moves from Available -> Pending -> Assigned.  The mobile device successfully activates the new token and receives mobile push notifications, but trying to accept the push request fails with the "server unreachable" error on the mobile device.  Manually entering the 6 digit token code works.

Has anyone found a solution or cause of this issue? Two of my users are experiencing this, with another one having had this issue once but when trying to log in again it then worked. The two others have the issue all the time and have to enter the code manually. 

We're on 7.0.12 and the FortiToken Mobile App is on the latest version.

Hi @Riggie,

Could you collect the below logs to investigate further?

If possible, create a PCAP from the Android client.
The following application is unrelated to Fortinet, but it has been helpful for creating packet captures per application.
https://play.google.com/store/apps/details?id=com.emanuelef.remote_capture&hl=de&gl=US
Select the FortiToken Mobile application and reproduce the issue.

Run Debug at the same time in FGT:
diag debug console timestamp enable
diag debug app forticldd -1
diag debug app ftm-push
diag fortitoken debug enable
diag debug enable

post reproducing the issue, disable debug using the below command

diag debug disable

diag debug reset

Hello,

I've got the PCAP and other support files, but I wish to share them privately as they contain sensitive information. Is there someone from staff where I can send the files to?

I've been battling the same issues, did you end up finding a resolution? 

This is still an ongoing issue for us.  All of our users have the same configuration/equipment/cell phones, all users are on the same cell provider, etc.  It happens if the phone is connected via wi-fi or cellular service and it effects about 15% of our users (including myself).  Sometimes switching tokens makes it work temporarily, other times it doesn't.  

On the problematic tokens, after hitting approve after receiving the FortiToken push notification, using the debug commands above the following error is being logged in the console: ssl accept error:1

Any ideas on what this indicates and what could cause this?  It's really odd to me that this only effects some users and not all.

Thanks!