Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anthony_E
Community Manager
Community Manager

Created on ‎11-02-2021 09:28 AM Edited on ‎09-07-2025 11:36 PM

Article Id 191230

Technical Tip: Error: 'No valid token found' - Unable to Provision FortiTokens in HA environment

Description

 

This article describes how to provision of FortiTokens to users in the HA environment. When provisioning, the FortiTokens will throw an error 'No Valid token found'.

 

JeanPhilippe_P_0-1734000001360.png

 

Scope

 

FortiGate, FortiToken.


Solution

 

  • In the case of setting up a High Availability (HA) cluster with multiple FortiGate/FortiAuthenticators, it is necessary to register and apply any FortiToken Mobile licenses to the primary unit.
  • Check first in the support portal which FortiGate (Primary/Secondary) is the token license assigned to (for mobile tokens), or where the FortiTokens are registered (for hardware tokens).
  • HA clusters of 2 units that share a single license (vSN / Virtual Serial Number) are not entitled to Trial FortiTokens. Also, the Mobile Token license cannot be used in this situation, as it cannot be associated to the vSN. The debug will show:


fttk.png

 
It is possible to check this by following the method:
  1. If it is a Trial Token.
 
Delete the Trial Token -> Re-import Free Trial Token under User & Authentication -> FortiTokens, and it will work fine.
 
Screenshot 2024-12-12 160713.png

 

To delete the trial FortiToken in the CLI:

 

config user fortitoken 

    delete <fortitoken_serial_number> 

end 

 

To import trial tokens in the CLI:

 

execute fortitoken-mobile import 0000-0000-0000-0000-0000

 

  2. Select products and then select the correct serial number for the FortiGate.
  3. Check under the License and Key section, where FortiToken License information will be available. If it is not available, it is not registered with this unit. Check the other units.
 
JeanPhilippe_P_2-1734000332269.png

 

  • Once the registered unit is confirmed with FortiToken, make sure the FortiGate is in the Primary state in the HA environment. Only after that, is it possible to provision FortiTokens.
  • It is not possible to provision FortiToken from an unregistered FortiGate as well as from secondary units.
  • If the FortiTokens are registered with a secondary FortiGate, then it is necessary to do a failover, and it is necessary to change the secondary unit to Primary.
  • Once the provision of the FortiToken is completed, if the failover happens, there will not be any effect/outage for existing users. Only it will not be able to provision FortiTokens from the current Primary unit (after the failover), which is not registered with licenses of FortiToken.

 

Troubleshooting:

 Run the following command to collect debug log for the Error message: "no valid token found".

 

diagnose debug console timestamp enable        

diagnose fortitoken debug enable

diagnose debug enable 

diagnose debug disable <----- Use this command to stop the debug.

17390
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.