Description
This article explains how to mitigate the error 'No valid token found - Provision token error: -7567' seen on GUI while assigning FortiToken-Mobile to a user account on the FortiGate.
Scope
FortiGate.
Solution
Possible problems: The most likely cause: FortiGate has no associated FortiToken Mobile license (check this first in the support portal).
Navigate to support.fortinet.com and check the FortiGate serial number. If there is this: contact Customer Service to assist with migration of the license from the previous device (must provide SN of that device). This does not require a TAC case (not a technical issue).
- Token not available in the unit (Trial token that does not belong to the current unit).
- Token not available in the unit (Token that belongs to another unit of a HA cluster of 2-4 FortiGates).
Step 1: Check the available FortiTokens.
This command will show all tokens present in the configuration. Any token SN can be manually added, and it does not mean it is available to be assigned.
FGT # diagnose fortitoken info
FORTITOKEN DRIFT STATUS
FTKMOB76xxxxxxx1 0 provisioned
FTKMOB98XXXXXD49 0 new
FTKMOB76xxxxxxx3 0 new
FTKMOB76xxxxxxx4 0 new
Step 2: Check the 'no valid token found' error.
FGT # diagnose fortitoken debug enable
Debug messages will be on for 30 minutes.
FGT # diagnose debug enable
# ftm_cfg_provision_token[363]:provision token: FTKMOB98XXXXXD49
ftm_fc_provision_token[760]:Provision token: FTKMOB98XXXXXD49
ftm_fc_cfg_set_fd_mgmt_vdom[48]:Using vfid=0 (mgmt:0 ha:3)
ftm_fc_comm_send_request[291]:send packet to forticare success.
POST /SoftToken/Provisioning.asmx/Process HTTP/1.1
Accept: application/json, text/javascript, */*, q=0.01
Content-Type: application/json;charset=utf-8
X-Requested-With: XMLHttpRequest
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: 96.45.36.92:443
Content-Length: 405
Connection: Keep-Alive
Cache-Control: no-cache
{ "d": { "__type": "SoftToken.ProvisionRequest", "__version": "4", "__device_version": "5.0", "__device_build": "1672", "serial_number": "FG100DxxxxxxxxxA", "__clustered_sns":
[ { "sn": " FG100DxxxxxxxxxA" }, { "sn": " FG100DxxxxxxxxxB" } ], "tokens": [ { "token": " FTKMOB98XXXXXD49", "seed": "A203Dxxxxxxxxxxxxxxxxxx", "code_expire": 4320, "type": "totp", "period": 60, "digits": 6 } ] } }
ftm_fc_comm_recv_response[477]:receive packet from forticare success.
{"d":{"__type":"SoftToken.ProvisionResponse","__version":"4","serial_number":" FG100DxxxxxxxxxA","__device_version":"5.0","__device_build":"1672","__clustered_sns":
[{"sn":" FG100DxxxxxxxxxB ","error":null},{"sn":" FG100DxxxxxxxxxA", "error":null}],"tokens":[{"token":" FTKMOB98XXXXXD49","license":null,"token_activation_code":null,"qr_code":null,"code_expire":null,"error":{"error_code":31,"error_message":"token does not belong to product"}}],"result":0,"error":{"error_code":17,"error_message":"no valid token found"}}}
ftm_fc_command[564]:received error from forticare [-7567]
FGT # diagnose debug reset <----- Use this command to stop the debugging.
The '-7567' error occurs if the configuration file is restored from a different FortiGate. This includes scenarios like migrating from one FortiGate unit to another manually (modifying the configuration file), using the FortiConverter service to migrate the configuration, and uploading a configuration file from one firewall to another with a different serial number. This is only an indicator that the token is not valid for this firewall (not licensed for this device).
Each FortiGate comes with 2 free FortiTokens, but after a configuration restore from another unit, the free FortiTokens from the original firewall will not be usable, and they can only be removed from the new firewall.
To delete the new FortiTokens on the FortiGate, go to User & Authentication -> FortiTokens, select FortiToken, and delete. It can also be deleted through the CLI by running the following commands:
config user fortitoken
delete <serial_number>
end
If additional FortiTokens have been obtained, they cannot be provisioned on the new firewall due to the free FortiToken migration explained above. In such cases, it will be necessary to delete all existing tokens and re-import them into the new system.
Note:
If a FortiGate license was recently transferred, it may take a minimum of 4 hours for the update to propagate fully within the FortiCare system. If any FortiCare connection or activation errors occur, wait for this period before retrying activation, as the issue may resolve automatically.
If the FortiGate is running in HA, make sure the FortiTokens license is tied to the Primary serial number.
To re-import FortiToken Mobile:
- Log in to the GUI, go to: User & Authentication -> FortiTokens, and select the available Tokens. and delete them
- Select 'Create New' and 'Mobile Token' and key in the activation code provided in the PDF file, which is available in the email from do-not-reply-contract@fortinet.com .
To import FortiToken Mobile through the CLI:
FGT # execute fortitoken-mobile import <Activation Code>
If there's no activation code received via email, try to select 'Import Free Trial Tokens' and Refresh (newer versions will display a 'Download' button).
Note:
The 'Import Free Trial Tokens' button will only be shown if there are no free FortiTokens listed. To import free trial tokens through the CLI:
FGT # exec fortitoken-mobile import 0000-0000-0000-0000-0000
- The deleted FortiToken serial number will appear on the FortiGate again, or it will provide a new trial FortiToken mobile:
Related articles:
