Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmehta
Staff
Staff

Created on ‎12-18-2025 06:57 AM

Article Id 423377

Troubleshooting Tip: FortiToken exists in cloud but cannot be assigned

Description This article describes a scenario where a FortiGate fails to locate or validate a FortiToken Mobile or FortiToken Cloud during user assignment. When this occurs, FortiGate displays the error 'No valid token found' or error -7567, preventing the token from being successfully assigned to a local user.
Scope FortiGate, FortiToken.
Solution
  • One of the following error messages is displayed in the GUI when assigning a token:
    • 'No valid token found'.
    • Provision token error: -7567.
  • The token cannot be assigned to a user.
  • The FortiToken activation email may not be sent.
  • SSL VPN login fails with 2FA enabled.

 

Copie_d'écran_20251202_105244(4).png

 

Copie_d'écran_20251202_110251(5).png

 

Debug commands:

 

diagnose debug disable

diagnose debug reset

diagnose debug console time enable

diagnose fortitoken debug enable

execute fortitoken-mobile import <ActivationCodeFromRedemptionCertificate>

 

Example debug output:

 

"license_activation_code": "6E2A-0E0C-2A64-1455-1000",

{"token":"FTKMOB27C3E7B708"}],"result":2,"error":null}} from this output it shows that FTKMOB2726BA4804 was associated with certificate code 6E2A-0E0C-2A64-1455-1000

 

FortiToken debugging showed no errors, confirming that the token was correctly licensed and associated.

 

Token FTKMOB2726BA4804 was confirmed as valid and licensed, and was associated with an Activation Code From the Redemption Certificate: 6E2A-0E0C-2A64-1455-1000.

 

Delete and re-add the token via the GUI (Recommended):

 

  1. Delete the Token.
    1. Go to User & Authentication -> FortiTokens.
    2. Locate the affected token (e.g. FTKMOB2726BA4804).
    3. Select the token.
    4. Select Delete.
    5. Confirm deletion.

Untitled picture.png

 

Untitled picture 1.png

 

  1. Re-add the token.
    1. Navigate to User & Authentication -> FortiTokens.
    2. Select Create New.
    3. Select FortiToken Mobile / FortiToken Cloud.
    4. Enter the Activation Code from the FortiToken certificate.
    5. Complete the import

 

  1. Assign the token to the user.
    1. Go to User & Authentication -> Users.
    2. Edit the affected user.
    3. Enable Two-factor Authentication.
    4. Select the re-added token.
    5. Choose Email or SMS for activation.
    6. Select OK.

 

Untitled picture.png

 

The activation email should then be sent successfully.

 

The issue can be resolved by deleting the affected FortiToken from the FortiGate and re-adding it to refresh the local FortiToken database.

 

After re-adding the FortiToken:

  • Token provisioning could complete successfully.
  • The activation email could be sent without errors.
  • The FortiToken could be assigned to the user correctly.
  • Two-factor authentication and SSL-VPN access could function as expected.
49
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.