In the event where the FortiGate HA cluster mode was changed from Active-Passive/Active-Active to Standalone, users trying to login with 2FA via FortiToken Cloud will experience failed logins due to unknown 2FA.

In some instances, the experience on the user side will be an immediate failure of 2FA despite not yet entering any code. 

By default, when a local user is assigned a FortiToken from FortiToken Cloud while the FortiGate(s) are in 'A-P' or 'A-A', they will be assigned to a specific realm in FortiToken Cloud with the following syntax - "FGTA-FGTB-root".

Where :

• FGTA: S/N of primary FortiGate.
• FGTB: S/N of secondary FortiGate.
• root: assigned VDOM where the user resides.

When the HA cluster mode is changed to 'Standalone', 2FA logins made by a user that has a FortiToken under the realm 'FGTA-FGTB-root' will fail (status: 400) and be tagged as 'unknown 2FA' in the FortiToken Cloud Authentication logs.

This is because FortiToken Cloud now checks the 2FA logins made by the user under a different realm, 'FGTA-root'. This is the new realm automatically built in FortiToken Cloud after shifting the HA cluster mode to 'Standalone'. 

To fix the issue, the administrator needs to re-provision the FortiToken to the user in FortiGate by disabling and re-enabling 2FA via FortiToken Cloud. The user will need to complete the FortiToken provisioning process for the FortiToken to be properly assigned.

The user will then be automatically assigned to the "FGTA-root" realm in FortiToken Cloud, and 2FA logins will be successful once again.