| Description | This article describes how to resolve a situation that affects all FortiToken users with the FortiAuthenticator error message 'Failed to send notification to user due to pushd error -3: FTM server returned error'. Despite this issue, manually keying in a FortiToken code works as expected. |
| Scope | FortiAuthenticator 6.5.x. |
| Solution |
Run a packet capture to check the connections of notification server push.fortinet.com to analyze. Refer to Technical Tip: How to run a Packet Capture with FortiAuthenticator.
The below wireshark pcap analyzer results show the IP address returned from push.fortinet.com is 154.52.29.67 and the TLS handshake successfully completed between frame numbers 4 to 12.
The section highlighted in black shows the FortiAuthenticator presenting a certificate with a signature algorithm as sha1WithRSAEncryption is failing certificate verification, and push.fortinet.com subsequently returned a 'Bad Certificate' error between frames 13 and 16. The certificate received is not accepted by FortiAuthenticator. Check whether the connection from FortiAuthenticator to push.fortinet.com is SSL inspection and if so, turn the inspection for this connection off.
Related article: |
