Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
FrankY1
Staff
Staff

Created on ‎09-23-2024 12:25 AM

Article Id 336047

Troubleshooting Tip: FortiToken configuration encounters 'CLI internal error'

Description This article describes that under 'User & Authentication', when changing the user's two-factor authentication from FortiToken Cloud to FortiToken, an error message 'CLI internal error' can show up. 
Scope FortiGate.
Solution

The error may show up when there is no FortiToken cloud license, and the trail license has not been activated. 

To confirm, run debug on FortiCloud using the command below:

 

diagnose debug application forticldd 255

diagnose fortitoken debug enable

diagnose debug enable

 

Try to change the token again, then check the debug output, and look for the message similar to the one below:

 

{ "d": { "__type": "SoftToken.ProvisionRequest", "__version": "4", "__device_version": "7.0", "__device_build": "2360", "serial_number": "FGVMSLTM12121212", "__cluster
ed_sns": [ ], "tokens": [ { "token": "FTKMOB3BD53181E7", "seed": "9CE0502A1EC9D82B70E076F251A2177EAD4880FE", "code_expire": 4320, "type": "totp", "period": 60, "digits
": 6 } ] } }

2024-08-14 11:20:42 ftm_fc_comm_recv_response[266]:receive packet success.

{"d":{"__type":"SoftToken.ProvisionResponse","__version":"4","serial_number":"FGVMSLTM12121212","__device_version":"7.0","__device_build":"2360","__clustered_sns":[],"
tokens":[{"token":"FTKMOB123456789","license":"EFTM000000232323","token_activation_code":"EEIPQYWBISBBPQEA","qr_code":"iVBORw0KGgoAAAANSUhEUgAAAI4AAACOAQAAAADPhg2lAAA
AwUlEQVR4Ad2VUQ7EIAhETThAj+TVPZnwLpd/8c0S5pGHh8FHGjx3cZLUKFVc7fOk+kRHO8VDt44nkC9IHMGFWK94IlD/GpVzKBo9Lt97L0NTTJHHr75UKI1omyEZGswgIiFi0yPH1Xpjo2nN9QjVotHlRqZHt8M7HlgNes
SyO52U1An0FVObZYvRGpgZ06NcCvg8KrclJilXqUPR6DmouYbEKMXE9YcMnvqSod3egT4+UvI8aiw/jecWIHkGUUQZOIc4M6PObCMtJQAAAABJRU5ErkJggg==","code_expire":4320,"error":null}],"result":
2,"error":null}}

2024-08-14 11:20:42 ftm_cfg_update_token_provision[684]:Set token FTKMOB123456789 to provisioning
2024-08-14 11:20:43 fas_get_vd_userid[704]: Failed to communicate with FTC server:402
2024-08-14 11:20:43 fas_delete_user[1432]: Failed to retrieve user from FTC: username user1, vdom root

 

This means when there is no FortiToken cloud license, FortiGate is unable to communicate to FortiCloud to update the token provision status. The solution is to activate the trial license for FortiToken Cloud, then FortiToken Coud communication will be successful, and the error will disappear.  
107
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.