- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FortiClient error message: token denied or timeout...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiClient error message: token denied or timeout. (-7105) [Solved]
Hi,
When connecting to FrotiGate SSL VPN with FortiToken Mobile 2FA using FortiClient 6.4, one of the users is getting following pop-up windows with error: "token denied or timeout. (-7105) [OK]". At the same time the push auth message arrives to a mobile. When closing the pop-up, the authentication resets and I cannot even enter token manually.
This happened after upgrading/reinstalling FortiClient VPN 6.2 (which worked fine) to 6.4. After that this particular token broke down. FortiClient VPN Windows native client v1.0.. (MS Store version) does not trigger push authentication to mobile (manually works as there are no error messages). When reinstalled back to old FC v6.2 it stopped to trigger push auth as well, but did not show an error message so I could enter the token manually and connect successfully.
Tried to remove token from user and assign again - did not help.
Tried to reset drift - did not help.
Tried to renew token - did not help.
# execute fortitoken-mobile renew FTKMOBxxxxxxx
Tried to increase remote auth timeout - did not help.
# set remoteauthtimeout 60
Something is wrong with this particular token, other tokens work fine. That appeared previously for other user/token, but removing and re-activating token helped then. This time it does not help, so the token can be used only in manual mode and in older FC v6.2.
Anyone knows how to fix this error?
some sslvpn debug output here:
...
2020-11-12 14:26:45 [224:root:89d]two factor check for ivo: off
2020-11-12 14:26:45 [224:root:89d]sslvpn_authenticate_user:191 authenticate user: [ivo]
2020-11-12 14:26:45 [224:root:89d]sslvpn_authenticate_user:198 create fam state
2020-11-12 14:26:45 [224:root:89d]fam_auth_send_req:583 with server blacklist:
2020-11-12 14:26:45 [224:root:89d]fam_auth_send_req_internal:461 fnbam_auth return: 4
2020-11-12 14:26:45 [224:root:89d]Auth requires token
2020-11-12 14:26:47 [223:root:825]sslvpn_send_ctrl_msg:960 0x7fa66a9e00 message: heartbeat 84.245.201.72
2020-11-12 14:27:02 [223:root:825]sslvpn_send_ctrl_msg:960 0x7fa66a9e00 message: heartbeat 84.245.201.72
2020-11-12 14:27:03 [223:root:825]sslvpn_dtls_handle_client_data:736 0x7fa66a9e00 got heartbeat
2020-11-12 14:27:07 [224:root:89d]Timeout for connection 0x7fa648cf00.
2020-11-12 14:27:07 [224:root:89d]Destroy sconn 0x7fa648cf00, connSize=1. (root)
2020-11-12 14:27:17 [223:root:825]sslvpn_send_ctrl_msg:960 0x7fa66a9e00 message: heartbeat 84.245.201.72
>>> here it's waiting for token, no push auth is sent to mobile
>>> when I enter the token manually, it continues
2020-11-12 14:27:24 [223:root:825]sslvpn_dtls_handle_client_data:736 0x7fa66a9e00 got heartbeat
2020-11-12 14:27:32 [223:root:825]sslvpn_send_ctrl_msg:960 0x7fa66a9e00 message: heartbeat 84.245.201.72
2020-11-12 14:27:40 [223:root:8a1]allocSSLConn:289 sconn 0x7fa648cf00 (0:root)
2020-11-12 14:27:40 [223:root:8a1]SSL state:before SSL initialization (x.x.x.x)
2020-11-12 14:27:40 [223:root:8a1]SSL state:before SSL initialization (x.x.x.x)
2020-11-12 14:27:40 [223:root:8a1]got SNI server name: xxx.xxx realm (null)
...
some fnbamd debug output:
...
2020-11-12 14:54:08 [3155] fnbamd_ldap_result-Skipping group matching
2020-11-12 14:54:08 [1002] find_matched_usr_grps-Skipped group matching
2020-11-12 14:54:08 [2887] fnbamd_fas_send_push-username:ivo, vdom:root, usertype:0, tfc=0, auth_type:16
2020-11-12 14:54:08 [181] fnbamd_comm_send_result-Sending result 7 (error 0, nid 0) for req 611519643
2020-11-12 14:54:08 [1290] freeze_auth_session-
>>> here it's waiting for token, push did not received, so entered manually:
2020-11-12 14:54:45 [2454] handle_req-Rcvd auth_token rsp for req 611519643
2020-11-12 14:54:45 [2499] handle_req-Check token '047720' with user 'ivo'
2020-11-12 14:54:45 [2518] handle_req-Verify(user=ivo vdom=root token_code=047720) returns 0
2020-11-12 14:54:45 [2555] handle_req-Token check succeeded. Orig auth ret 0
2020-11-12 14:54:45 [1002] find_matched_usr_grps-Skipped group matching
2020-11-12 14:54:45 [181] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 611519643
2020-11-12 14:54:45 [181] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 611519643
2020-11-12 14:54:45 [724] destroy_auth_session-delete session 611519643
...
P.S. FortiOS v6.2.3
P.P.S. Other token on the same phone is working fine and receiving push ath messages.
BR
Ivo
Update 13.11.2020:
The problem solved by itself. Push notifications work fine today.
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Spooky. Thanks for update.
I do not like things which break and fix by itself, without me knowing what happened, what was root cause, and wat was needed to fix the thing.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Related Posts
- free vpn client certificate problems 201 Views
- Oracle sessions randomly hanging behind fortigate 111 Views
- When connecting VPN from FortiClient getting... 187 Views
- SSLVPN login fails before 7AM EDT 148 Views
- ZTNA not working. Help please. 306 Views
Labels
-
FortiGate
6,542 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
70 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
Firewall policy
24 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
FortiAuthenticator
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiDB
3 -
Port policy
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
Fortinet Engage Partner Program
2 -
TACACS
1 -
4.0MR1
1 -
Schedule
1 -
Users
1 -
SDN connector
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
FortiPAM
1 -
Application signature
1 -
Web rating
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Multicast routing
1 -
Email filter profile
1 -
Zone
1 -
Internet Service Database
1 -
Explicit proxy
1 -
System settings
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.