FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
ocara
Staff
Staff
Article Id 327581
Description

This article explains how to troubleshoot when it is impossible to assign a FortiToken Mobile to a user. The error message displayed is: 'Unable to provision token FTKMOB------: Unknown error. Your changes have been rolled back. Please try again later.'

 

This issue usually occurs due to connectivity or DNS problems with 'fortitokenmobile.fortinet.com', which are cloud servers responsible for provisioning tokens to users.

 

  1. Check the RAW Logs for errors:  Look for any specific error messages that have appeared.
  2. DNS Issues: If FortiAuthenticator is reporting a DNS issue, investigate why the DNS server cannot resolve the FortiToken Mobile Provisioning Servers.
  3. Connectivity Issues: If FortiAuthenticator is reporting connectivity issues, verify if it is possible to ping these servers. Below are the steps needed to troubleshoot connectivity problems.
Scope

FortiAuthenticator.

Solution

When trying to assign a specific token to a user, it is possible to encounter the following error:

 

0.png

 

To troubleshoot this problem, the first step should be to check the RAW logs, under Logging -> Log Access -> Logs.

From the logs, it is possible to get an idea of what the problem might be, which is usually related to connectivity or DNS issues.

 

  1. DNS-Issue: From RAW Logs, an error like this should appear: 'Unable to Resolve Domain Name'.

 

A1.png

 

Run the necessary commands to test  DNS resolution from the CLI:

 

execute nslookup fortitokenmobile.fortinet.com

 

DNS-Server should be resolved as per the below IPs:

 

Non-authoritative answer:

Name:   fortitokenmobile.fortinet.com

Address: 173.243.138.84

Name:   fortitokenmobile.fortinet.com

Address: 208.91.113.27

Name:   fortitokenmobile.fortinet.com

Address: 208.91.113.29

 

  • If the DNS server is not resolving the following IPs, check the organization's DNS server to find out why it is not resolving them.

  • Temporary Solution: Use Google DNS servers (8.8.8.8) as a temporary solution by configuring them under System -> Network -> DNS.

 

  1. Connectivity-Issue: From RAW Logs, FortiAuthenticator should complain about a connection timeout, as shown below:

 

B1.png

 

From CLI, try to ping and traceroute toward 'fortitokenmobile.fortinet.com':

 

>execute ping fortitokenmobile.fortinet.com

>execute traceroute fortitokenmobile.fortinet.com

 

Sometimes ping is not permitted based on organization's policies. In this case,  a packet capture is necessary:

 

execute tcpdumpfile  -i any host fortitokenmobile.fortinet.com

   

 

 From the PCAP file, there should be only a TCP-SYN request, without any SYN-ACK and ACK, and no TLS communication should occur.

 

B2.png

 

GUI Debug on FortiAuthenticator : it should show an error code -12.  Access it via https://FAC-IP/debug/Others/GUI

 

2024-07-21T17:43:48.788928+02:00 FortiAuthenticator gui[12611] debug fac.home.www-data.fac.fac.apps.fac_auth.clibs __init__ 140178883389120 Token provisioning request is from FAC.

2024-07-21T17:43:58.812890+02:00 FortiAuthenticator gui[12611] error fac.home.www-data.fac.fac.apps.fac_auth.clibs __init__ 140178883389120 FTM provisioning request failed for "FTKMOB163C4772B3": Unknown error (error code -12)

2024-07-21T17:47:43.903762+02:00 FortiAuthenticator gui[12611] debug fac.home.www-data.fac.fac.apps.fac_auth.clibs __init__ 140178916959936 Token provisioning request is from FAC.

2024-07-21T17:47:53.932704+02:00 FortiAuthenticator gui[12611] error fac.home.www-data.fac.fac.apps.fac_auth.clibs __init__ 140178916959936 FTM provisioning request failed for "FTKMOB163C4772B3": Unknown error (error code -12)

 

Summary:

 

  • Ensure connectivity between FortiAuthenticator and FortiGuard Provisioning Servers is established and functioning correctly.
  • Check if any inspection is applied to firewall policies that may affect FortiAuthenticator .
  • If everything is fine from the network side, contact the TAC team (Fortinet) for any possible issues with FortiToken Mobile Servers in the region.