Firmware Version v6.4.4, build1028 (GA)
We are using LDAPS

Hello,
Regarding issue: Unable to add token FTK200BBXXX for remote LDAP user xxx: Unable to retrieve FTK seeds: Problem with SSL communication layer.
Please check the connectivity between FAC and following directions:
directregistration.fortinet.com
ftc.fortinet.com

Check on edge firewall for any deep inspection or other security policy applied recently.
FAC should be able to reach Fortiguard servers to activate the Tokens.

Also Check if you have enable proxy on FAC?!

BR

Hi @sadmin ,
"Problem with SSL communcation layer.

Default-Server-Certificate expired and was renewed with a reboot.
"
Not quite sure which cert was renewed.
However above claims seems to me more like there is invalid cert somewhere.
If LDAP server cert was renewed, then Remote User Sync uses underlying Remote Auth, Servers / LDAP config. And if that one has "Secure Connection" enabled, then check if new LDAP server cert was signed with CA set there.
If you got even further and "Use Client Certificate for TLS Authentication" is in place, effectively enforcing not just ANY cert signed by CA but specific cert presented by "client" which is your LDAP server, then check if that is set to renewed cert.

Another possible issue might be some MitM actor, like SSL Deep Inspection on any of your intermediate firewalls between FAC and LDAP server.
As that SSL/TLS inspection needs to decrypt traffic to be able to see and inspect what's inside, it then needs have encryption keys and way to do so is to step into stream and introduce its own CA. So server->decrypt->inspect->encrypt->Client kind of operations. If Server or Client does cert inspection and knows what is supposed to be present by counter-party, then certificates messed by inspection are detected and such communication is then assumed as being hijacked (insecure) and is terminated.