| Description |
This article describes the first steps to take in case of FortiToken activation failure. If the configuration has been migrated from another unit, the tokens will not work unless they are completely removed first and then re-imported.
|
| Scope | FortiGate. |
| Solution |
Step 1: General view:
execute ping fds1.fortinet.com
execute ping directregistration.fortinet.com show system central-management The above servers must be reachable from the FortiGate. When FortiManager manages the system, skip the next steps as the tokens should be provided by FortiManager itself.
Step 2: Current status check: diagnose fortitoken info
diagnose test application forticldd 7 show user fortitoken Step 3: Run the following command: show full-configuration | grep -f FTK
Step 4: Turn on activation debugging: diagnose debug disable
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application forticldd 255
diagnose fortitoken debug enable
diagnose debug enable
diagnose debug info
The FortiToken-200 is activated through the FortiGuard network and is locked upon first activation (one-time activation lock). If the token's lock was released recently, there is only one chance to activate and catch an error if an issue occurs.
Step 5a: If the Token was deleted as per step 3a, run only this command (and skip the activation): config user fortitoken
edit <FortiTokenSN> end Step 5b: Otherwise, activate it:
execute fortitoken activate <FortiTokenSN> (Only supports hard token activation)
diagnose fortitoken info | grep -v active
All tokens should be active and should have the seed in the config:
diagnose fortitoken info
show user fortitoken To stop the debug:
diagnose debug reset diagnose debug disable To verify whether the FortiToken activation code is being sent over e-mail, collect the following command output:
In cases with a multi-VDOM environment, run the following commands from the global VDOM: show system email-server
diagnose debug reset
diagnose debug application alertmail -1
diagnose debug console timestamp enable
diagnose debug enable
After running the above commands, trigger an activation request and analyze the output. This is done by selecting 'Send Activation Code' under User & Authentication -> User Definition -> Edit the user.
It is important to understand that the troubleshooting steps above primarily concern themselves with the activation of a token when binding to a specific user. If the problem relates to attempting to activate additional FortiToken Mobile on the FortiGate and errors are seen in the GUI or CLI, like the examples below, follow the additional troubleshooting steps further below.  
Step 1: Run the FortiToken debug.
diagnose debug reset diagnose debug console time enable diagnose fortitoken debug enable
Step 2: Get the logs and analyze the output for possible errors, as seen below.
{ "d": { "__type": "SoftToken.ActivationLicenseRequest", "__version": "4", "license_activation_code": "XXXX-XXXX-XXXX-XXXX-XXXX", "serial_number": "FGTXXXXKXXXXXXXX", "__device_version": "6.0", "__device_build": "6325", "__clustered_sns": [ { "sn": "FGTXXXXKXXXXXXXX" }, { "sn": "FGTXXXXKXXXXXXXX" } ] } } ftm_fc_comm_recv_response[477]:receive packet from forticare success. {"d":{"__type":"SoftToken.ActivationLicenseResponse","__version":"4", "serial_number":"FGTXXXXKXXXXXXXX", "__device_version":"6.0","__device_build":"6325","__clustered_sns": [{"sn":"FGTXXXXKXXXXXXXX","error":null},{"sn":"FGTXXXXKXXXXXXXX","error":null}],
"license_activation_code":"DXXXX-XXXX-XXXX-XXXX-XXXX","license":"","tokens":null,"result":0,"error":
{"error_code":14,"error_message":"forticare license expired"}}} ftm_fc_command[564]:received error from forticare [-7564] import fortitoken license error: -7564 This log indicates the license code entered has expired. The solution is to get a new license code via the sales channel and to register it on the FortiGate.
{"__type":"SoftToken.ActivationLicenseResponse","__version":"4", :"xxxxxxxxxxxxxxxx","license":"","tokens":null,"result":0,"error":{"error_code":10, "error_message":"forticare license card not found"}}}
Refer to the solution in Technical Tip: 'FortiCare license card not found'.
ftm fc_comm_recv_response [267] : receive packet success. "error_message": "forticare unkown error"}}}
Delete the Trial Tokens. If the tokens are already assigned to users, assign other tokens to these users. Then it will be possible to delete the Trial Tokens. Activate the licensed FortiTokens by using the activation code. Activation should be done successfully. Then select 'Import Free Trial Tokens'. Note: This method can also be used for verifying connectivity to the FortiToken Mobile Provisioning server. Activating a trial license restores communication with FortiCloud.
{"__type":"SoftToken.ActivationLicenseResponse","__version":"4","serial_number": "FGT81F*******","__device_version":"7.0","__device_build":"0366","__clustered_sns": [{"sn":"FGT81F*******","error":null},{"sn":"FGT81F*******","error":null}],"license_activation_code":" AAAA-BBBB-CCCC-DDDD-EEEE ","license":"","tokens":null,"result":0,"error":{"error_code":11,"error_message":"forticare license already activated"}}} 2022-09-16 09:36:40 ftm_fc_command[615]:received error from forticare [-7561] import fortitoken license error: -7561
Refer to the solution in this article: Technical Tip: License Error while importing the Mobile/soft FortiToken.
In some scenarios, FortiTokens may automatically transition to a locked state. This commonly occurs during the transfer of FortiTokens between different FortiGate devices or following a license renewal.
To verify the current status of a FortiToken, use the following CLI command:
show user fortitoken | grep status
This will display the current state (e.g., active, locked) of the FortiToken(s).
Example of Locked FortiToken Entry:
config user fortitoken edit "FTKMOB26B6XXXXXX3"
To change the status of the FortiToken from lock to active, execute the following commands in the FortiGate CLI:
config user fortitoken edit "FTKMOB26B6XXXXXX3" set status active next
Note: Replace 'FTKMOB26B6XXXXXX3' with the actual FortiToken serial number relevant to the environment.
Note: If the password for the email account that FortiGate uses to send FortiToken activation emails has expired, the activation emails cannot be sent successfully. The password must be updated in the FortiGate to restore email delivery.
Related articles:
|
