Troubleshooting Tip: FortiToken error message 'token does not belong to product' or 'no valid token found'

anoushiravan · ‎04-03-2024

Description

This article describes that FortiToken is used as a two-factor authentication on FortiGate. In order to use the FortiToken on FortiGate, it is necessary to note:

When the FortiToken mobile license is activated, the license should be registered under the Master FortiGate serial number in case of HA cluster.
If the FortiToken mobile license is registered under the slave unit, the license will not be activated under the Master unit, therefore for initial activation, it is necessary to register the license under the Master serial number
The FortiToken mobile license will not work when uploading a config file from one FortiGate to another FortiGate, in this case, at first the FortiToken mobile license should be registered under the FortiGate The Mobile FortiToken license is going to be activated again
FortiToken Mobile license can be activated only if The FortiGate has a connection with the FortiGuard server

For instance, in the below FortiToken debugging output, the FortiToken FTKMOB947FDC1754 is not working since the license of this FortiToken has been registered under a different FortiGate serial number. Therefore, the error message 'token does not belong to product' appears:

FGT (vdom) # edit root
current vf=root:0
FGT (root) # di de dis
FGT (root) # di de reset
FGT (root) # di fortitoken debug enable
Debug messages will be on for 30 minutes.
FGT (root) # di de cons time en

FGT (root) # 2024-03-30 04:10:03 ftm_cfg_provision_token[417]:provision token: FTKMOB947FDC1754
2024-03-30 04:10:03 ftm_fc_provision_token[810]:Provision token:FTKMOB947FDC1754
2024-03-30 04:10:04 ftm_fc_comm_connect[66]:ftm TCPS connected.
2024-03-30 04:10:04 ftm_fc_comm_send_request[128]:send packet success.

POST /SoftToken/Provisioning.asmx/Process HTTP/1.1
Accept: application/json, text/javascript, */*, q=0.01
Content-Type: application/json;charset=utf-8
X-Requested-With: XMLHttpRequest
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: 208.91.113.53:443
Content-Length: 405
Connection: Keep-Alive
Cache-Control: no-cache

{ "d": { "__type": "SoftToken.ProvisionRequest", "__version": "4", "__device_version": "7.0", "__device_build": "2573", "serial_number": "FG140E4Q17000494", "__clustered_sns": [ { "sn": "FG140E4Q17000494" }, { "sn": "FG140E4Q17000407" } ], "tokens": [ { "token": "FTKMOB947FDC1754", "seed": "A84E2CAAD3BCEA970E05DC1A9B7BD2D562622F4A", "code_expire": 4320, "type": "totp", "period": 60, "digits": 6 } ] } }

2024-03-30 04:10:04 ftm_fc_comm_recv_response[277]:receive packet success.

{"d":{"__type":"SoftToken.ProvisionResponse","__version":"4","serial_number":"FG140E4Q17000494","__device_version":"7.0","__device_build":"2573","__clustered_sns":[{"sn":"FG140E4Q17000407","error":"Product is not registered"},{"sn":"FG140E4Q17000494","error":null}],"tokens":[{"token":"FTKMOB947FDC1754", license":null,"token_activation_code":null,"qr_code":null,"code_expire":null,"error":{"error_code":31,"error_message":"token does not belong to product"}}],"result":0,"error":{"error_code":17,"error_message":"no valid token found"}}}

Scope

FortiGate.

Solution

Open a ticket with the CS team to transfer/register the FortiToken mobile license under the FortiGate serial number (Master serial number in case of HA cluster) that is supposed to be activated on it.

Once the FortiToken mobile license has been registered under the correct FortiGate serial number by CS (CS ticket), go to FortiGate and activate the FortiToken mobile license under: User & Device -> FortiTokens -> Create New -> Mobile Token, enter the Activation code from the license the in activation code field -> 'OK'.

Read the below links for more information regarding the activation of the FortiToken Mobile license on FirtiGate via GUI or CLI:
Technical Tip: Forti-Mobile token configuration in detail

Registering FortiToken Mobile