Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
yangw
Staff
Staff

Created on ‎01-06-2025 01:46 AM Edited on ‎12-17-2025 02:41 AM By Staff

Article Id 367461

Technical Tip: FortiToken status always displays pending even though the service is working normally

Description This article describes how to investigate the issue of FortiToken status, which always displays as pending even though the service is working normally.
Scope FortiAuthenticator v6.
Solution

Looking specifically at the now working users, the users' tokens were PENDING. A few days later they reported that all the PENDING activations had expired, and the users got disabled again.


pending.png

 

The error log can be seen below in the access log.

 

date=2024-01-22 time=22:14:15+0000 oid=3318835 logid=30909 cat="Event" subcat="System" level="error" nas="" action="" status="" msg="FTM polling error: unable to connect to server: failed to connect fortitokenmobile.fortinet.com:443" user="admin"

 

date=2024-01-23 time=01:19:55+0000 oid=3318980 logid=30909 cat="Event" subcat="System" level="information" nas="" action="" status="" msg="FTM polling: try to deprovision expired pending token: FTKMOB0XXXXXXXX" user="admin"

 

date=2024-01-23 time=01:19:56+0000 oid=3318981 logid=30909 cat="Event" subcat="System" level="warning" nas="" action="" status="" msg="FTM deprovision: disabled remote LDAP user 'josararai' because FTM activation has expired. Admin must be cautious to re-enable this user because it will be allowed access without token." user="admin"

 

The issue matches a known issue 988000 reported due to bulk de-provisioning of FortiToken Mobiles once FortiToken Mobile servers become reachable if they were provisioned when FortiToken Mobile servers were unreachable.

 

Provide the Summary logs to the Technical Support team via a Support ticket

To add an update on the support ticket, log in to the support portal -> Support -> Manage Active Ticket and check for the ticket number and provide an update on the ticket.

 

FTMD service has to be checked.

 

Output will be like this:

 

Current Processes (by CPU usage)
================================
Mem: 11543216K used, 4838868K free, 1586696K shrd, 1215712K buff, 6782252K cached
CPU: 34.1% usr 0.0% sys 0.0% nic 65.8% idle 0.0% io 0.0% irq 0.0% sirq
Load average: 2.69 2.34 2.26 2/526 2616
PID PPID USER STAT VSZ %VSZ CPU %CPU COMMAND
1692 1 root R 11184 0.0 1 25.0 /bin/ftmd

 

Which means that the ftmd service has stuck, and this leads to delayed or no FortiToken Mobile polling anymore.

 

Note:

The issue is also observed in v6.6.4 and v6.6.3.

 

The workaround is the FortiAuthenticator reboot in the current version. After reboot, all users with FortiToken mobile in pending status will be disabled, and tokens will be moved to the available poll.


Manually enable users and assign new tokens. When users activate tokens, the status of the tokens will be renewed on FortiAuthenticator.
2087
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.