Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
enguyen3467
Staff
Staff

Created on ‎04-18-2023 06:12 AM Edited on ‎08-05-2025 12:57 PM By Staff & Editor

Article Id 252831

Troubleshooting Tip: 'Failed to retrieve FortiToken Cloud status'

Description

 

This article describes steps to take when the error 'Failed to retrieve FortiToken Cloud status' appears in the FortiGate GUI.

This error may show when assigning a FortiToken Cloud to a user from the FortiGate GUI.

 

ftk1.png

 

 

Scope

 

FortiOS.

 

Solution

 

  • Ensure to have connectivity to the FortiGuard server from the management VDOM. It is also possible to check if there is a red banner on the GUI dashboard saying 'Unable to connect to FortiGuard server'. If this is the case, refer to Troubleshooting Tip: Unable to connect to FortiGuard servers.

  • Check the DNS settings, so that at least one of the two DNS servers is a public DNS server. Note that the pre-populated servers 96.45.45.45 or 96.45.46.46 only work with DOT and DOH protocols, so it is possible to use a different public DNS server IP as desired.

 

ftk2.png

 

  • Alternatively, change the protocol from dot or cleartext in the DNS global setting on the FortiGate: 

config system dns

    set protocol cleartext 

end 

 

  • Make sure to set the minimum TLS version to 1.2 since FortiToken Cloud does not support TLS v1.3 yet:

config system global 

    set ssl-min-proto-ver TLSv1-2 

end 

If fortitoken-cloud debug messages show 'FTC server returns error code: -104', there was an SSL error in setup.

 

  • Check for the FortiToken Cloud server by executing the following commands:

 

diagnose fortitoken-cloud show service

 

3.PNG

 

diagnose fortitoken-cloud server

 

ftk3.png

 

If the output returns the server IP with port 8686, it means that the firewall is connected to the FortiToken Cloud server.

 

  •  Check the DNS settings on FortiGate and connectivity to FortiCloud FQDN:

 

execute ping logctrl1.fortinet.com
PING logctrl1.fortinet.com (154.52.17.92): 56 data bytes
64 bytes from 154.52.17.92: icmp_seq=0 ttl=55 time=59.1 ms

 

Recently, ftc.fortinet.com IP address has been changed from 173.243.137.31 to 69.167.109.248. Perform basic connectivity test by running a ping to ensure it can ping to a new IP address.

 

execute ping ftc.fortinet.com

PING ftc.fortinet.com.geo.fortinet.net (69.167.109.248): 56 data bytes
64 bytes from 69.167.109.248: icmp_seq=0 ttl=50 time=75.7 ms

 

Verify that the FortiCloud server is connected by issuing the following command: If the IP and port are returned then it is connected:


diagnose fortitoken-cloud show server
FortiToken Cloud server ip:69.167.109.248, port:8686

 

  • If the DNS can resolve without any issue that confirms the connectivity the next steps would be to check the output for the below commands:

 

diagnose test application forticldd 1

diagnose test application forticldd 3


For the non-working scenario, the output will be similar to the following, where it will be missing the account information: 

 

diagnose test application forticldd 1
System=FGT Platform=FG4H0F
Connection vdom: root, id=0, ha=primary.
acct_id=
acct_st=Logged Out <---- This should have the FortiCloud account information.

FortiGuard interface selection: method=auto specify=FortiGuard log: status=disabled, full=overwrite, ssl_opt=1, source-ip=0.0.0.0

 

If it does not show the account information, try to re-connect the cloud account:

 

execute fortiguard-log login <email> <password> <domain>  <----- Domain can be Global/US/Europe.


For the working scenario, the output would be something like below:

 

diagnose test application forticldd 1
System=FGT Platform=Fortigate_Model
Management vdom: root, id=0,  ha=master.
acct_id=User_ID@company_id.com
acct_st=OK <-- For a working scenario it will show the account information.
FortiGuard log: status=enabled, full=overwrite, ssl_opt=3, source-ip=0.0.0.0
Centra Management: type=FGD, flags=000000bf.
active-tasks=0

 

diagnose test application forticldd 3
Debug zone info:
Domain:GLOBAL
Home log server: 173.243.132.171:514
Alt log server: 173.243.132.132:514
Active Server IP: 173.243.132.132
Active Server status: unknown
Log quota: 3145728MB
Log used: 0MB
Daily volume: 20480MB
fams archive pause: 0
APTContract : 0
APT server: 0.0.0.0:0
APT Altserver: 0.0.0.0:0
Active APTServer IP: 0.0.0.0
Active APTServer status: unknown

 

Once it shows the account information updated, FortiGate should be able to connect the FortiCloud without any issues and able to retrieve the tokens from the Cloud account.

 

Related documents: 

9519
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.