|
When importing the license from the GUI, the error 'Internal server error' may appear.
Import it through the CLI and run the following debug commands:
diagnose debug console timestamp enable
diagnose debug application forticldd -1
diagnose debug application alert -1
diagnose fortitoken debug enable
diagnose debug enable
execute fortitoken-mobile import <ActivationCodeFromRedemptionCertificate>
In virtual VDOM mode, FortiGate firewalls must run the debug commands within the VDOM where FortiTokens are being activated:
config vdom
edit <vdom-name> <----- Name of the VDOM.
diagnose debug console timestamp enable
diagnose debug application forticldd -1
diagnose debug application alert -1
diagnose fortitoken debug enable
diagnose debug enable
The output may resemble the following:
2022-05-17 13:41:54 ftm_cfg_import_license[321]:import license abcd-efgh-1234-5678-9101
2022-05-17 13:41:55 ftm_fc_comm_connect[55]:ftm TCPS connected.
2022-05-17 13:41:55 ftm_fc_comm_send_request[117]:send packet success.
POST /SoftToken/Provisioning.asmx/Process HTTP/1.1
Accept: application/json, text/javascript, */*, q=0.01
Content-Type: application/json;charset=utf-8
X-Requested-With: XMLHttpRequest
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: 208.91.113.53:443
Content-Length: 246
Connection: Keep-Alive
Cache-Control: no-cache
{ "d": { "__type": "SoftToken.ActivationLicenseRequest", "__version": "4",
"license_activation_code": "abcd-efgh-1234-5678-9101", "serial_number":
"FGT60XTK00000000", "__device_version": "7.0", "__device_build": "0304", "__clustered_sns": [ ] } }
2022-05-17 13:42:01 ftm_fc_comm_recv_response[266]:receive packet success.
{"d":{"__type":"SoftToken.ActivationLicenseResponse","__version":"4",
"serial_number":"FGT60XTK00000000","__device_version":"7.0","__device_build":"0304","__clustered_sns":[],"license_activation_code":"abcd-efgh-1234-5678-9101","license":"","tokens":null,"result":0,"error":{"error_code":100,"error_message":"forticare service unavailable"}}}
2022-05-17 13:42:01 ftm_fc_command[615]:received error from forticare [-7650]
import fortitoken license error: -7650
'FortiCare service unavailable' suggests that the firewall could not reach the FortiGuard network or that the FortiGuard network was temporarily unavailable.
To stop debug logs:
diagnose debug disable
diagnose debug reset
- Check if the firewall can reach globalftm.fortinet.net on port 443:
execute telnet globalftm.fortinet.net 443
- It is also possible to run a packet capture when importing the license, using the IP address resolved in step 1:
diagnose sniffer packet any "host 208.91.113.53 and port 443" 4 0 a
ctrl+c to stop the sniffer
If the above troubleshooting steps do not resolve the issue, try running the following commands in the CLI:
diagnose debug reset
diagnose debug application update -1
diagnose debug enable
execute update-now
Once the output shows 'Update successful', navigate to User & Authentication -> FortiTokens and verify whether the newly registered FortiTokens are now visible in the list.
The IP address 208.91.113.53 is an example resolved when using telnet for the FQDN 'globalftm.fortinet.net'. Adjust the IP based on the FQDN.
- If 1 and 2 show successful communication, try to disable the anycast mode on FortiGuard settings, then try to import the tokens again.
- If it still does not help, raise a case with the Technical Support Team with all the outputs and checks done.
Related article:
Technical Tip: FortiToken basic troubleshooting
|
