| Description | This article describes how to correct the issue when the FortiGate shows the error:'-333' via CLI when trying to provision the mobile token. |
| Scope | FortiGate. |
| Solution |
When trying to provision the new mobile token, the error shown by the CLI is '-333'. The debug shows error 503 Services Unavailable or response invalid, from CLI when trying to provision the token, the error is '-333':
To enable debugging: diagnose fortitoken debug enable
ftm_fc_comm_recv_response[239]:response invalid
To disable debugging:
diagnose debug disable
Verify the following to fix the issue:
config user fortitoken edit <Serial number> show
config system fortiguard
After performing these changes, the debug shows the following message:
ftm_cfg_send_token_activation_code[338]:sent activation code:
After performing the changes from above, and if errors appear like below:
Continue with restarting the process forticldd to resolve the issue: fnsysctl killall forticldd.
Note: unexpected eof while reading is an SSL error. This means the FortiGate started an encrypted SSL connectivity towards FortiCare, but the connection was closed by the remote side unexpectedly, before it finished reading the expected data. Sometimes it can be an issue on a device above the FortiGate unit, like another firewall or router.
Sometimes in FortiGuard settings, users might have set the source-ip address as a private IP address when using the SD-WAN scenario, then users can also expect the following error.
2026-01-08 10:21:30 ftm_fc_comm_recv_response[229]:recv packet error: -1,tcps_read,1053, error=1, errno=0, error:0A000126:SSL routines::unexpected eof while reading
Solution: Verify the source-ip configuration under 'config system fortiguard' and unset the source-ip and select the correct 'interface'. |
