FortiAuthenticator
FortiAuthenticator provides access management and single sign on.
Stelios_FTNT
Staff
Staff
Article Id 197403
Description
On a FortiAuthenticator cluster, if a member of the cluster is replaced and a new member joins the cluster, an error might be received when a FortiToken Mobile license is provisioned: "FTM provision: HA cluster SN "FACYYYXXXXXXXXXX" error: Product is not registered(21)".

Solution
FortiAuthenticator HA cluster member's Serial Numbers are stored in an internal database so that FTM license associated with one cluster member can be used continuously after an HA fail-over.  All member's SNs involved in the cluster history are accumulated and stored.  Some SNs may become obsolete or expired and no longer registered with the FortiCare server.  These SNs will cause a warning message as described above.

Here's a summary on how this issue can happen:

1.  A FortiAuthenticator HA cluster is set up with licenses SN1 and SN2 respectively.  Note both SN1 and SN2 are registered in FortiCare server (support.fortinet.com).

2.  When registering a FTM license (FTM1) in the FortiAuthenticator master, say SN1, this is stored in the database of both members.

3.  Assign tokens from FTM1 to user.  The tokens should be provisioned successfully.

4.  If the unit with SN1 has been replaced (for example following an RMA), the HA pair is updated to a newer license pair SN3 and SN2.  At the same time FTM1 is transferred from SN1 to the new SN3.

5.  When SN1 actually expires (because the licenses are transferred and SN1 is not valid anymore), it is no longer registered in FortiCare.  However, it is still stored in FortiAuthenticator database as a cluster member SN.  So when assigning a token from FTM1 to user, the warning message described in this article will appear.  The FortiAuthenticator log will also show "FTM provision: HA cluster SN "FACYYYXXXXXXXXXX" error: Product is not registered(21)".

The following CLI options can be used to resolve the issue:
execute ha-sn-list ----> List all HA cluster members' serial numbers that have been used in FTM license activation.
execute ha-sn-delete ----> Delete an expired or obsolete HA cluster member serial number that is no longer used in FTM license activation.

With the first command the obsolete SN1 will appear in the output and with the second command, it can be deleted from the list and thus remove the warning message.

Example : 'execute ha-sn-delete FACYYYXXXXXXXXXX'

Contributors