Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sjoshi
Staff
Staff

Created on ‎10-04-2023 12:17 AM Edited on ‎06-20-2025 12:30 AM By Community Manager

Article Id 277343

Troubleshooting Tip: FortiToken Mobile push notification issue

Description

 

This article describes how to troubleshoot when an FortiToken Mobile Push notification is not working.

 

Scope

 

FortiGate.

 

Solution

 

SSL VPN is configured with FortiToken enabled for the user.

 

Requirement:

  • Configure FortiToken Mobile Push configuration on the FortiGate:

 

config system ftm-push
    set server-cert "Fortinet_Factory"
    set server "10.5.18.253"  >> wan ip of the FGT
    set status enable
end

 

  • Make sure there is an admin user without the trusted host.
  • Make sure FTM is enabled on the FortiGate WAN interface.
  • Make sure port 4433 is not used by any service on FortiGate as that is default port for Fortitoken Mobile push services.

From 6.4.9 and below, the command 'set server' is not available but the command 'set server-ip' is used instead.

 

If the  'server-cert' is missing configuration  (for example:  set server-cert " " ) and the users trying to connect once approve the push, the users will see an 'invalid server certificate: FortiToken Mobile cannot validate the server certificate' error on the device trying to connect and, after configuring the 'server-cert', the issue will be resolved.

 

Take SSL VPN Debug:

 

diagnose debug application sslvpn -1

diagnose debug application ftm-push -1

diagnose debug enable

 

[5784:root:d9]sslvpn_authenticate_user:192 authenticate user: [salon]
[5784:root:d9]sslvpn_authenticate_user:206 create fam state
[5784:root:d9]fam_auth_send_req:883 found node salon:0:, valid:1
[5784:root:d9][fam_auth_send_req_internal:426] Groups sent to FNBAM:
[5784:root:d9]group_desc[0].grpname = salon
[5784:root:d9][fam_auth_send_req_internal:438] FNBAM opt = 0X201400
Connecting to server address: 66.35.19.42, port nubmer: 443 oif: 0
[5784:root:d9]fam_auth_send_req_internal:514 fnbam_auth return: 7
[5784:root:d9][fam_auth_send_req_internal:539] Authenticated groups (1) by FNBAM with auth_type (1):
[5784:root:d9]Received: auth_rsp_data.grp_list[0] = 16777218
[5784:root:d9]req: /remote/logincheck
[5784:root:d9]Transfer-Encoding n/a
[5784:root:d9]Content-Length 106
[5784:root:d9]readPostEnter:17 Post Data length 106.
[5784:root:d9]rmt_web_auth_info_parser_common:506 no session id in auth info
[5784:root:d9]rmt_web_access_check:777 access failed, uri=[/remote/logincheck],ret=4103,
[5784:root:d9]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
[5784:root:d9]rmt_logincheck_cb_handler:1356 user 'salon' has a matched local entry.
[5784:root:d9]got checking id 1-35588b18
[5784:root:0]rmt_logincheck_cb_handler:1484 token_type = 1, time_out = 80
[5784:root:d9]two factor check for salon: off
[5784:root:d9]sslvpn_authenticate_user:192 authenticate user: [salon]
[5784:root:d9]sslvpn_authenticate_user:206 create fam state
[5784:root:d9]user 'salon' uses 2FA: ctx->peer_two_factor = 0, ctx->peer_name.peername = 0, ctx->is_two_factor = 1  >>> we can see that the user salon is using Fortitoken
[5784:root:0]famStateInit:2192 ctx->token_type = 1, timeout = 60
[5784:root:d9]fam_auth_send_req:883 found node salon:0:, valid:1
[5784:root:d9][fam_auth_send_req_internal:426] Groups sent to FNBAM:
[5784:root:d9]group_desc[0].grpname = salon

 

FortiToken Mobile Push debug where we will see whether the FortiGate is able to send the request to the FortiGuard server or not:


Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: fortinet/c
Content-Type: application/json
Content-Length: 595

{"sender":"FGT-FGVM32TM20000015-root","registration_id":"cycl4mTqH7Y:APA91bGOpo_SCF7OkNiWiju8YdCw8rt-4AaWATAPwbThpzaLJdYKKsnHev-7VUX40amJMWyzC-YLl9dXHVy1G9_JiHcQXglUVm06pGkiNE7UP1lr_z3XjYcs6Z7kqDmX_o5KNX_lEMWs","app":"FTM","platform":"android","message":"{ \"ciphertext\": \"oMx1HdZuO7TfzjHLCW3atzuvS\\/duDsKnaIBtUvmolrGVH8uoIoYzJ5KCG1Xj4aeUJGR3wi8IoYA2\\/9ZsLIRimo71F36gXKmWzhVcTB\\/KKsg5mmauc2UHeHk+Zzc2\\/DK5bMqGSzKkLbU\\/iS5d4huMflBrhXQzgyYwb7Ri2rNwDY8=\", \"sn\": \"FTKMOB028CA23F11\", \"hmac\": \"xfEr8ZycsGr2hguQd7aDas3NrKmkleYOELs9qGcJ\\/KA=\", \"iv\": \"TbBrOwMfxuQFhfCHvk0\\/Aw==\" }"}
SSL: (where=0x10 ret=0x1)SSL: (where=0x2001 ret=0x1)SSL: SSL_accept:before SSL initializationSSL: (where=0x2001 ret=0x1)SSL: SSL_accept:before SSL initializationSSL: (where=0x2001 ret=0x1)SSL: SSL_accept:SSLv3/TLS read client helloSSL: (where=0x2001 ret=0x1)SSL: SSL_accept:SSLv3/TLS write server helloSSL: (where=0x2001 ret=0x1)SSL: SSL_accept:SSLv3/TLS write certificateSSL: (where=0x2001 ret=0x1)SSL: SSL_accept:SSLv3/TLS write key exchangeSSL: (where=0x2001 ret=0x1)SSL: SSL_accept:SSLv3/TLS write certificate requestSSL: (where=0x2001 ret=0x1)SSL: SSL_accept:SSLv3/TLS write server doneSSL: (where=0x2001 ret=0x1)SSL: SSL_accept:SSLv3/TLS write server doneSSL: (where=0x2001 ret=0x1)SSL: SSL_accept:SSLv3/TLS read client certificateSSL: (where=0x2001 ret=0x1)SSL: SSL_accept:SSLv3/TLS read client key exchangeSSL: (where=0x2001 ret=0x1)SSL: SSL_accept:SSLv3/TLS read certificate verifySSL: (where=0x2001 ret=0x1)SSL: SSL_accept:SSLv3/TLS read change cipher specSSL: (where=0x2001 ret=0x1)SSL: SSL_accept:SSLv3/TLS read finishedSSL: (where=0x2001 ret=0x1)SSL: SSL_accept:SSLv3/TLS write session ticketSSL: (where=0x2001 ret=0x1)SSL: SSL_accept:SSLv3/TLS write change cipher specSSL: (where=0x2001 ret=0x1)SSL: SSL_accept:SSLv3/TLS write finishedSSL: (where=0x20 ret=0x1)SSL: (where=0x2002 ret=0x1)[5784:root:d9]fam_auth_proc_resp:1360 fnbam_auth_update_result return: 0 (success)[5784:root:d9][fam_auth_send_req_internal:438] FNBAM opt = 0X201400

 

Authentication has been successful:

 

[5784:root:d9][fam_auth_proc_resp:1459] Authenticated groups (1) by FNBAM with auth_type (1):
[5784:root:d9]Received: auth_rsp_data.grp_list[0] = 16777218
[5784:root:d9]Auth successful for user salon
[5784:root:d9]fam_do_cb:730 fnbamd return auth success.

 

 

This is the PCAP file of the communication between the FortiToken Mobile user and the FortiGate WAN IP when the user is sending the approved message:

 

test2.PNG

 

Once the user selects 'Approve' on the FortiToken Mobile the packet will come to the FortiGate WAN IP so the communication between the user phone and the FortiGate should be there. User's phone should be connected to the internet.

 

This is the communication between FortiGate and the FortiGuard server to send the push notification to the user's phone:

 

Picture1.png

 

If the FortiGate is behind another router (NAT), it is required to forward port 4433 on the router to the FortiGate.

In the case of the dynamic IP on the WAN connection, it can be defined a DDNS as a 'server', i.e:

 

config system ftm-push
    set server-cert "Fortinet_Factory"
    set server "fqdn"  <----- DDNS name.
    set status enable
end

6170
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.