Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ramunas
New Contributor II

Can't unlock fortitoken-mobile

Hi all,

all fortigates have two trial licenses for fortitoken mobile. I have locked them and I can't unlcok them. A FTM Admin guide says: 

To unlock the locked token in FOS when FortiToken Mobile Provisioning Server is reachable, use the following CLI command: execute fortitoken-mobile renew <ftm-sn>

(By the way it is a terrible command - this command locked my fortitokens)

This command gives me an error: 

# execute fortitoken-mobile renew FTKMOB4517CAXXXX renew softtoken FTKMOB4517CAD038 error -7567

(btw - I have seen log messages reference pdf. Is it avialable "cli error messages reference?")

How to check connection to FortiToken Mobile Provisioning Server ? I have ping to fds1.fortinet.com, but it isn't the same.

How to unlock fortitokens? ("set status active" don't work. The status in cli became active, but in GUI status=error )

Any ideas?

Thanks in advance,

Ramunas

9 REPLIES 9
xsilver_FTNT
Staff
Staff

I'd suggest to :

config user fortitoken

  edit <token-SN>

    set status active / lock    <== to switch between Locked and Available/Assigned (Unlocked in general) status

end

 

regarding the server status :

1.

FGT-VM64-1 (root) # diag fortitoken info FORTITOKEN       DRIFT  STATUS FTK20019UI7LZAF9 -60    active FTKMOB499F0D6AE2 0      provision timeout FTKMOB4910E74378 0      new Total activated token: 1 Total global activated token: 1 Token server status: reachable

2.

exec ping fds1.fortinet.com   <== FortiGuard for HW token registrations exec ping directregistration.fortinet.com  <== FortiCare Mobile token management

Tom xSilver, planet Earth, over and out!

ramunas
New Contributor II

Thank you for your answer. Set to active don't work. When I set "active" the status become "unknown" in CLI ("error" in GUI). If I set "lock", the status become locked in CLI and GUI)

FGT40C3912039776 # execute ping fds1.fortinet.com PING fds1.fortinet.com (96.45.33.89): 56 data bytes 64 bytes from 96.45.33.89: icmp_seq=0 ttl=51 time=191.6 ms 64 bytes from 96.45.33.89: icmp_seq=1 ttl=51 time=191.7 ms 64 bytes from 96.45.33.89: icmp_seq=2 ttl=51 time=191.9 ms 64 bytes from 96.45.33.89: icmp_seq=3 ttl=51 time=191.8 ms 64 bytes from 96.45.33.89: icmp_seq=4 ttl=51 time=191.9 ms --- fds1.fortinet.com ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 191.6/191.7/191.9 ms FGT40C3912039776 # execute ping directregistration.fortinet.com PING directregistration.fortinet.com (208.91.113.68): 56 data bytes 64 bytes from 208.91.113.68: icmp_seq=0 ttl=114 time=177.0 ms 64 bytes from 208.91.113.68: icmp_seq=1 ttl=114 time=176.6 ms 64 bytes from 208.91.113.68: icmp_seq=2 ttl=114 time=175.9 ms 64 bytes from 208.91.113.68: icmp_seq=3 ttl=114 time=176.1 ms 64 bytes from 208.91.113.68: icmp_seq=4 ttl=114 time=175.8 ms --- directregistration.fortinet.com ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 175.8/176.2/177.0 ms FGT40C3912039776 # diag fortitoken info FORTITOKEN DRIFT STATUS FTKMOB45B42EBXXX 0 unknown FTKMOB4517CADXXX 0 unknown Total activated token: 0 Total global activated token: 0 Token server status: reachable

murilo
New Contributor

Hi, 

 

here, unlock only after delete both fortitoken mobile 

 

===================

 

1) Know your mobile tokens as this exemple...

 

# config user fortitoken

(fortitoken) # show full-configuration

                 edit "FTKMOB1111111111"      <-------------------------------                        set status active                        set seed ''                        set comments ''                        set license "FTMTRIAL00000000"                        set activation-code ''                        set activation-expire 0                 next

               edit "FTKMOB2222222222"      <-------------------------------                       set status active                       set seed ''                       set comments ''                       set license "FTMTRIAL00000000"                       set activation-code ''                       set activation-expire 0                next

          end

 

2) Delete your Two mobile fortitokens...

(fortitoken) # delete FTKMOB1111111111

(fortitoken) # delete FTKMOB2222222222

(fortitoken) # end

 

3) Exit from "config user fortitoken" and import your two default fortitoken mobile again

# execute fortitoken-mobile import 0000-0000-0000-0000-0000

 

===================

 

PRO: unlock sucessfully

 

PROBLEM: even if only one fortitoken is locked and the others are OK to unlock this unique fortitoken, you must delete all others. If anyone knows how to unlock without having to delete all fortitokens, please share with us.

sdash_FTNT
Staff
Staff

Hello,

 

You can unlock a fortitoken without having to delete all the fortitokens. Please find the steps :

For a specific Fortitoken FTKMOBAAAAAAAAAA ,

# config user fortitoken (fortitoken) # edit FTKMOBAAAAAAAAAA FTKMOBAAAAAAAAAA# show full-configuration config user fortitoken edit "FTKMOBAAAAAAAAAA" set status active set seed ' ' set comments ' ' set license "FTMTRIAL00000000" set activation-code "XXXXXXXXXXXXXXXX" set activation-expire ' ' next end (FTKMOBAAAAAAAAAA) # set status lock (FTKMOBAAAAAAAAAA) # end

 

 

After the status is set to lock , it will show the status as "Locked" for that specific Fortitoken under User and device  > Fortitoken.

 

You can unlock the same as per the commands below :

 

#config user fortitoken

(fortitoken) # edit FTKMOBAAAAAAAAAA (FTKMOBAAAAAAAAAA) # show full-configuration config user fortitoken edit "FTKMOBAAAAAAAAAA" set status lock set seed "" set comments '' set license "FTMTRIAL00000000" set activation-code "XXXXXXXXXXXXXXXX" set activation-expire ' ' next end

(FTKMOBAAAAAAAAAA) #set status active (FTKMOBAAAAAAAAAA) # end

 

 

Please make sure under system > Config > fortiguard > Fortitoken seed server registration status shows reachable.

 

 

ramunas
New Contributor II

Hello,

no no it is wrong way. You can lock in this way, but can't unlock. Fortigate don't accept "set activation-code "xxxx"" which was entered manually. 

I can confirm, that in my case worked only solution described in the previous post - only delete of all fortitokens helps..

BR, Ramunas

sdash_FTNT
Staff
Staff

Hello,

 

  In my previous comment, I have displayed the entire default configuration of  mobile fortitoken (free) by entering the command "#Show full-configuration" for understanding and there was no manual entry for the activation-code . 

 

Please note the above test was done on my end only for the Free Mobile tokens. 

 

To be more specific , when the status is "lock" on the Free Mobile token, the only change we make on CLI is  :

 

#config user fortitoken (fortitoken) # edit FTKMOBAAAAAAAAAA

(FTKMOBAAAAAAAAAA) #set status active  (FTKMOBAAAAAAAAAA) # end

 

murilo

sdash_FTNT wrote:

Hello,

 

  In my previous comment, I have displayed the entire default configuration of  mobile fortitoken (free) by entering the command "#Show full-configuration" for understanding and there was no manual entry for the activation-code . 

 

Please note the above test was done on my end only for the Free Mobile tokens. 

 

To be more specific , when the status is "lock" on the Free Mobile token, the only change we make on CLI is  :

 

#config user fortitoken (fortitoken) # edit FTKMOBAAAAAAAAAA

(FTKMOBAAAAAAAAAA) #set status active  (FTKMOBAAAAAAAAAA) # end

 

 

sdash_FTNT,

 

all the time when we have this problem, the first procedure are this (like ramunas try to), and don't work every time.

 

the result here are the same as descript below by ramunas.

 

ramunas wrote:

Thank you for your answer. Set to active don't work. When I set "active" the status become "unknown" in CLI ("error" in GUI). If I set "lock", the status become locked in CLI and GUI)

 

 

here, work only when delete the two free fortitoken mobile and "import" again (as descript in my first post)

 

murilo
New Contributor

FortiOS 5.0.9, 5.2.1 and 5.2.2

sainusp
New Contributor

If Firewall showing User & Device -> FortiTokens -> any Token status is Locked then go to CLI mode. then apply following commands

FW-01 # config user fortitoken FW-01 (fortitoken) # edit <Token Serial Number> FW-01 (<Token Serial Number>) # set status active

Then go to User & Device -> FortiTokens the locked token status will be show as error, (if not showing error then logout and relogin firewall) after status showing error the apply following CLI command

FW-01 # execute fortitoken-mobile renew <Token Serial Number>

Logout and re-login, then you will see status is available.