During the process of FortiGate HA upgrade, a failover will be performed. If the FortiGate HA cluster comes back online after the upgrade, but assigning FortiToken Mobile to new users returns with 'No valid token found' error, follow steps below:

Run below FortiToken debug while attempting to assign a token to the user.

diagnose fortitoken debug enable

diagnose debug enable

If the error shows a similar message as '"error_message":"token does not belong to product"', verify the serial number of the current running primary unit and check if the FortiToken Mobile license is registered under the same serial number.

Run the following command to check the HA status and check which is the current primary and secondary unit:

get system ha status

To check the FortiToken Mobile license registration, log in to the Fortinet Support portal and check the license details of the devices under Asset Management.

If the FortiToken Mobile license is found registered under the current secondary unit serial number, either of the following options can be performed:

1. Perform HA failover to make the current secondary unit active. To perform the failover:

• If override is enabled, lower the HA priority value of the primary unit.
• If override is disabled, reset the uptime on the primary unit using this command: 'diagnose sys ha reset-uptime' or reboot the primary unit.

2. Contact Customer Service support to transfer the FortiToken Mobile license to the current primary unit.

Related article:

Technical Tip: FortiToken Basic Troubleshooting