Description
This article describes how to perform a FortiToken Mobile (FTKM) to FortiToken Cloud (FTC) migration and what to check and troubleshoot when errors occur.
In this case: FortiToken Mobile to FortiToken Cloud Migration, Invalid License.
Pre-requisites:
Scope
FortiToken Mobile to FortiToken Cloud migration. Invalid License error.
Solution
- Ensure there is a FortiToken Mobile license number. This can be found on the Fortinet Support Portal, Support.
- Under Asset Management, go to Products -> More Views -> License.
It will be possible to find it under the License Number column.
FortiToken Mobile license has an SKU of 'FTM-ELIC-<number>'.
This is the license number that will be used in the troubleshooting commands below.
The license number usually starts with EFTM followed by 12 numbers.
-
Check whether FTC servers are reachable:
diagnose fortitoken-cloud server <----- This IP should be reachable via ping.
-
To check whether the migration from FortiToken Mobile to FortiToken Cloud will be successful, use these commands:
diagnose fortitoken-cloud migrate-ftm show <FTKM license_number>
diagnose fortitoken-cloud migrate-ftm start <FTKM license_number>
-
If migration is possible, output similar to this will be seen:
Firewall A (global) # diagnose fortitoken-cloud migrate-ftm start <FTKM license number>
Warning: Please acknowledge that request will be sent to fortitoken-cloud to
start license migration where migration eligibility will be checked and a new
FTC license will be created with corresponding user quota to accept user migration.
Ready to proceed? (y/n)
This indicates that the FortiToken Mobile license is valid and migration is possible.
Note.
If the FortiToken Mobile license has 100 tokens, the FortiToken Mobile to FortiToken Cloud migration will migrate ALL the Tokens.
Partial migration is not possible; for example, to migrate only 50 out of the 100 FortiToken Mobile Tokens to FortiToken Cloud, this is not possible.
It is possible to proceed with this command to perform the migration:
execute fortitoken-cloud migrate-ftm <FTKM license number>
-
However, if an error message similar to this occurs, proceed to Step 7.:
Firewall A # diag fortitoken-cloud migrate-ftm start <FTKM license_number>
Invalid license!
Firewall A # diag fortitoken-cloud migrate-ftm show <FTKM license_number>
Result: {"status": "deny"}
-
Firstly, ensure all entries in 'show user fortitoken' should have the 'set license' parameter; it should look like this:
Firewall A (root) # show user fortitoken
config user fortitoken
edit "FTKMOBbla"
set license "<hidden for privacy purposes>"
set activation-code "<hidden for privacy purposes>"
set activation-expire <hidden for privacy purposes>
set reg-id "<hidden for privacy purposes>"
set os-ver "<hidden for privacy purposes>"
next
edit "FTKMOBblabla"
set license "<hidden for privacy purposes>"
set activation-code "<hidden for privacy purposes>"
set activation-expire <hidden for privacy purposes>
set reg-id "<hidden for privacy purposes>"
set os-ver "<hidden for privacy purposes>"
next
And not like this:
edit "FTKMOBblabla"
set os-ver "<hidden for privacy purposes>"
next
edit "FTKMOBblabla"
next
edit "FTKMOBblabla"
set reg-id "<hidden for privacy purposes>"
set os-ver "<hidden for privacy purposes>"
next
If it looks like the latter, FortiToken Mobile will have to be re-provisioned.
FortiToken Mobile Activation Code is required to do this.
If the FortiToken Mobile activation code is lost, contact Fortinet Customer Support.
Additional debug commands for FortiToken Cloud:
diagnose debug console timestamp enable
diagnose fortitoken-cloud debug enable
diagnose debug enable
diagnose fortitoken-cloud sync all
When VDOM is enabled:
config global
diagnose debug console timestamp enable
diagnose fortitoken-cloud debug enable
diagnose debug enable
diagnose fortitoken-cloud sync all
To disable debug:
diagnose debug disable
diagnose debug reset
Basic FortiIdentity cloud troubleshooting debug from FortiGate and FortiAuthenticator:
Diagnosing FortiIdentity Cloud
