Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vdralio
Staff
Staff

Created on ‎03-07-2021 12:28 PM Edited on ‎06-19-2025 10:19 PM By Community Manager

Article Id 189574

Technical Tip: Hard FortiToken clock drift adjustment

Description


This article describes how to adjust Hard FortiTokens for clock drift when used as Two-Factor Authentication for VPN connections (SSL VPN and/or IPsec VPN).

If a user experiences clock drift, it may be the result of incorrect time settings on the unit.
If so, make sure that the clock is accurate by confirming the network time and the correct timezone.

If the unit clock is set correctly, the issue could be the for example, the FortiGate and FortiTokens being initialized before setting an NTP server. This will result in a time difference that is too large to correct with the synchronize function. To avoid this, selected FortiTokens can be manually drift-adjusted.

 

Scope

 

FortiGate.

Solution


The following procedure is intended to be used only in special cases where some FortiTokens are severely out-of-sync.
Only activated FortiTokens can be adjusted.

The user may notice that it is not possible to login with the account and shows the error like below:

 

FortiToken clock drift detected (code: 468308). Please input the next code and continue

 

 
The authentication has an expiration time (by default is 30 seconds), and also FortiToken codes are sent depending on the configuration (every 30 or 60 seconds).
The remote authentication timeout need to be changed, so there is time for the next code to be added.

For example.
 
config system global
    set remoteauthtimeout 120 <----- This is in seconds.
end
 
When the user logs in from the FortiClient (SSL VPN tunnel mode or IPSec VPN) or SSL VPN web mode, the user has the necessary time to add the first code.
Wait until the next code appears and add the second code of the FortiToken. In the end, the user can log in normally.

Recommendations:  For security reasons, revert the change made for this purpose.
 
config system global
    set remoteauthtimeout 30
end
 
On FortiGate it is possible to adjust the drift with on CLI as:
 
exec fortitoken sync <id>
 
On a FortiAuthenticator, it is possible as described in the 2FA operability guide: Synchronizing FortiTokens

 

Related articles:

Technical Tip: How to change FortiToken mobile code refresh timer to 30 seconds

Troubleshooting Tip: FortiToken Mobile clock drift adjustment

Troubleshooting Tip: SSLVPN and two-factor expiry timers

7615
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.