| Description |
This article describes the first steps to take in case of FortiToken activation failure. If the configuration has been migrated from another unit, the tokens will not work unless they are completely removed first and then re-imported.
|
| Scope | FortiGate. |
| Solution |
Step 1: General view:
execute ping fds1.fortinet.com
execute ping directregistration.fortinet.com show system central-management The above servers must be reachable from the FortiGate. When FortiManager manages the system, skip the next steps as the tokens should be provided by FortiManager itself.
Step 2: Current status check: diagnose fortitoken info
diagnose test application forticldd 7 show user fortitoken Step 3: Run the following command: show full-configuration | grep -f FTK
Step 4: Turn on activation debugging: diagnose debug disable
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application forticldd 255
diagnose fortitoken debug enable
diagnose debug enable
diagnose debug info
The FortiToken-200 is activated through the FortiGuard network and is locked upon first activation (one-time activation lock). If the token's lock was released recently, there is only one chance to activate and catch an error if an issue occurs.
Step 5a: If the Token was deleted as per step 3a., run only this command (and skip the activation): config user fortitoken
edit <FortiTokenSN> end Step 5b: Otherwise, activate it:
execute fortitoken activate <FortiTokenSN>
diagnose fortitoken info | grep -v active
All tokens should be active and should have the seed in config:
diagnose fortitoken info
show user fortitoken To stop the debug:
diagnose debug reset diagnose debug disable To verify whether the FortiToken activation code is being sent over e-mail, collect the below command output:
In cases with a multi-VDOM environment, run the following commands from the global VDOM: show system email-server
diagnose debug reset
diagnose debug application alertmail -1
diagnose debug console timestamp enable
diagnose debug enable
After running the above commands, trigger an activation request and analyze the output. This is done by selecting 'Send Activation Code' under User&Authentication -> User Definition -> Edit the user.
It is important to understand that the troubleshooting steps above primarily concern themselves with the activation of a token when binding to a specific user. If the problem relates to attempting to activate additional FortiToken Mobile on the FortiGate and errors are seen in the GUI or CLI, like the examples below, follow the additional troubleshooting steps further below.  
Step 1: Run the FortiToken debug.
diagnose debug reset diagnose debug console time enable diagnose fortitoken debug enable diagnose debug enable
Step 2: Get the logs and analyze the output for possible errors as seen below.
[641] fds_ctx_set_addr: server: 173.243.138.68:443
[188] fds_svr_default_pickup_server: fdni: 173.243.138.68:443 [337] fds_send_reply: Sending 1005 bytes data. [361] fds_send_reply: send reply failed: req-1, Connection refused { "d": { "__type": "SoftToken.ActivationLicenseRequest", "__version": "4", "license_activation_code": "XXXX-XXXX-XXXX-XXXX-XXXX", "serial_number": "FGTXXXXKXXXXXXXX", "__device_version": "6.0", "__device_build": "6325", "__clustered_sns": [ { "sn": "FGTXXXXKXXXXXXXX" }, { "sn": "FGTXXXXKXXXXXXXX" } ] } } ftm_fc_comm_recv_response[477]:receive packet from forticare success. {"d":{"__type":"SoftToken.ActivationLicenseResponse","__version":"4", "serial_number":"FGTXXXXKXXXXXXXX", "__device_version":"6.0","__device_build":"6325","__clustered_sns":[{"sn":"FGTXXXXKXXXXXXXX","error":null},{"sn":"FGTXXXXKXXXXXXXX","error":null}],"license_activation_code":"DXXXX-XXXX-XXXX-XXXX-XXXX","license":"","tokens":null,"result":0,"error": {"error_code":14,"error_message":"forticare license expired"}}} ftm_fc_command[564]:received error from forticare [-7564] import fortitoken license error: -7564 Look for the error messages as shown on the log above 'error_message':
error_message":"forticare license expired"
This log indicates the license code entered is expired. The solution is to get a new license code via sales channel and to register it on the FortiGate.
{"__type":"SoftToken.ActivationLicenseResponse","__version":"4", :"xxxxxxxxxxxxxxxx","license":"","tokens":null,"result":0,"error":{"error_code":10, "error_message":"forticare license card not found"}}}
Refer to the solution in Technical Tip: 'FortiCare license card not found'.
ftm fc_comm_recv_response [267] : receive packet success.
Select 'Import Free Trial Tokens' and then delete the Trial Tokens. Activate the licensed FortiToken. This method can also be used for verifying connectivity to FTM Provisioning server. Activating a trial license restores communication with FortiCloud.
In some scenarios, FortiTokens may automatically transition to a locked state. This commonly occurs during the transfer of FortiTokens between different FortiGate devices or following a license renewal.
To verify the current status of a FortiToken, use the following CLI command:
show user fortitoken | grep status
This will display the current state (e.g., active, locked) of the FortiToken(s).
Example of Locked FortiToken Entry:
config user fortitoken edit "FTKMOB26B6XXXXXX3"
To change the status of the FortiToken from lock to active, execute the following commands in the FortiGate CLI:
config user fortitoken edit "FTKMOB26B6XXXXXX3" set status active next
Note: Replace 'FTKMOB26B6XXXXXX3' with the actual FortiToken serial number relevant to the environment.
Related articles:
|
