FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vdralio
Staff
Staff
Description
This article describes how to adjust Hard FortiTokens for clock drift when used as Two Factor Authentication for VPN connections (SSL VPN and/or IPsec VPN).

If a user experiences clock drift, it may be the result of incorrect time settings on the unit.
If so, make sure that the clock is accurate by confirming the network time and correct timezone.

If the unit clock is set correctly the issue could be the for example, the FortiGate and FortiTokens being initialized prior to setting an NTP server.
This will result in a time difference that is too large to correct with the synchronize function.
To avoid this, selected FortiTokens can be manually drift adjusted.


Solution
The following procedure is intended to be used only in special cases where some FortiTokens are severely out-of-sync.
Only activated FortiTokens can be adjusted.

User may notice that it is not possible to login with the account and shows the error like below:
FortiToken clock drift detected (code: 468308). Please input the next code and continue





Note that the authentication has an expiration time (by default is 30 seconds) and also FortiToken codes are sent depend on the configuration (every 30 or 60 seconds).
The remote authentication timeout need to be changed, so there is time for the next code to be added.

For example.
# config system global
    set remoteauthtimeout 120 <----- This is in seconds.
end
When the user log in from the FortiClient (SSL VPN tunnel mode or IPSec VPN) or from SSL VPN web mode the user has the necessary time to add the first code.
Wait until the next code appears and add the second code of the FortiToken.
In the end the user is able to log in normally.

Recommendations:  For security reason,revert the change made for this purpose.
# config system global
    set remoteauthtimeout 30
end
On FortiGate it is possible to adjust the drift with on CLI as:
# exec fortitoken sync <id>
On a FortiAuthenticator it is possible as described in the 2FA operability guide:
https://docs.fortinet.com/document/fortiauthenticator/6.1.0/interoperability-guide-for-2fa/181198/ap...


Related Articles

Technical Tip: How to change FortiToken mobile code refresh timer to 30 seconds

Troubleshooting Tip: FortiToken Mobile clock drift adjustment

Troubleshooting Tip: SSLVPN and two-factor expiry timers

Contributors