Description |
This article explains how to troubleshoot when it is impossible to assign a FortiToken Mobile to a user. The error message displayed is: 'Unable to provision token FTKMOB------: Unknown error. Your changes have been rolled back. Please try again later.'
This issue usually occurs due to connectivity or DNS problems with 'fortitokenmobile.fortinet.com', which are cloud servers responsible for provisioning tokens to users.
|
Scope |
FortiAuthenticator. |
Solution |
When trying to assign a specific token to a user, it is possible to encounter the following error:
To troubleshoot this problem, the first step should be to check the RAW logs, under Logging -> Log Access -> Logs. From the logs, it is possible to get an idea of what the problem might be, which is usually related to connectivity or DNS issues.
Run the necessary commands to test DNS resolution from the CLI:
execute nslookup fortitokenmobile.fortinet.com
DNS-Server should be resolved as per the below IPs:
Non-authoritative answer: Name: fortitokenmobile.fortinet.com Address: 173.243.138.84 Name: fortitokenmobile.fortinet.com Address: 208.91.113.27 Name: fortitokenmobile.fortinet.com Address: 208.91.113.29
From CLI, try to ping and traceroute toward 'fortitokenmobile.fortinet.com':
>execute ping fortitokenmobile.fortinet.com >execute traceroute fortitokenmobile.fortinet.com
Sometimes ping is not permitted based on organization's policies. In this case, a packet capture is necessary:
execute tcpdumpfile -i any host fortitokenmobile.fortinet.com
From the PCAP file, there should be only a TCP-SYN request, without any SYN-ACK and ACK, and no TLS communication should occur.
GUI Debug on FortiAuthenticator : it should show an error code -12. Access it via https://FAC-IP/debug/Others/GUI
2024-07-21T17:43:48.788928+02:00 FortiAuthenticator gui[12611] debug fac.home.www-data.fac.fac.apps.fac_auth.clibs __init__ 140178883389120 Token provisioning request is from FAC. 2024-07-21T17:43:58.812890+02:00 FortiAuthenticator gui[12611] error fac.home.www-data.fac.fac.apps.fac_auth.clibs __init__ 140178883389120 FTM provisioning request failed for "FTKMOB163C4772B3": Unknown error (error code -12) 2024-07-21T17:47:43.903762+02:00 FortiAuthenticator gui[12611] debug fac.home.www-data.fac.fac.apps.fac_auth.clibs __init__ 140178916959936 Token provisioning request is from FAC. 2024-07-21T17:47:53.932704+02:00 FortiAuthenticator gui[12611] error fac.home.www-data.fac.fac.apps.fac_auth.clibs __init__ 140178916959936 FTM provisioning request failed for "FTKMOB163C4772B3": Unknown error (error code -12)
Summary:
|