DescriptionThis article describes the first workaround steps in case of FortiToken activation failure.
SolutionStep 1: General view
# exec ping fds1.fortinet.com
# exec ping directregistration.fortinet.com
# show sys central
# show full sys central
If it appears that aFortiManager manages the system, skip the next steps as the tokens should be provided by FortiManager itself.
Step 2: Current status check
# diag fortitoken info
# show user fortitoken
# show full | grep -f FTK
Step 3
(a) If the token has the "set seed..." displayed in 'show user', but that it shows error in 'fortitoken info', delete this FortiToken first.
(b) If the token is displayed without the "set seed...", line can be activated as in step 5b.
Step 4: Turn on activation debugging
# diag debug reset
# diag debug console time en
# diag debug app forticldd 255
# diag debug en
# diag debug info
FortiToken 200 is activated through the FortiGuard network and is locked upon firstactivation (one-time activation lock). If your tokens lock were released recently, you will have only one chance to activate and catch an error if an issue occurs.
Step 5a
If the token was deleted as per step 3 (a), only run this command (and skip the activation):
# config user fortitoken
# edit <FortiTokenSN>
# end
Step 5b: Activation
Otherwise, activate it:
# exec fortitoken activate <FortiTokenSN>
Step 6: Check the errors and non-usual states
# diag fortitoken info | grep -v active
Step 7: Check the overall status
All tokens should be active and should have the seed in config:
# diag fortitoken info
# show user fortitoken
# disable debug
# diag debug reset
# diag debug disable
