Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

FortiClient error message: token denied or timeout. (-7105) [Solved]



When connecting to FrotiGate SSL VPN with FortiToken Mobile 2FA using FortiClient 6.4, one of the users is getting following pop-up windows with error: "token denied or timeout. (-7105) [OK]". At the same time the push auth message arrives to a mobile. When closing the pop-up, the authentication resets and I cannot even enter token manually.


This happened after upgrading/reinstalling FortiClient VPN 6.2 (which worked fine) to 6.4. After that this particular token broke down. FortiClient VPN Windows native client v1.0.. (MS Store version) does not trigger push authentication to mobile (manually works as there are no error messages). When reinstalled back to old FC v6.2 it stopped to trigger push auth as well, but did not show an error message so I could enter the token manually and connect successfully.


Tried to remove token from user and assign again - did not help.


Tried to reset drift - did not help.


Tried to renew token - did not help.

# execute fortitoken-mobile renew  FTKMOBxxxxxxx


Tried to increase remote auth timeout - did not help.

# set remoteauthtimeout 60


Something is wrong with this particular token, other tokens work fine. That appeared previously for other user/token, but removing and re-activating token helped then. This time it does not help, so the token can be used only in manual mode and in older FC v6.2.


Anyone knows how to fix this error?


some sslvpn debug output here:


2020-11-12 14:26:45 [224:root:89d]two factor check for ivo: off
2020-11-12 14:26:45 [224:root:89d]sslvpn_authenticate_user:191 authenticate user: [ivo]
2020-11-12 14:26:45 [224:root:89d]sslvpn_authenticate_user:198 create fam state
2020-11-12 14:26:45 [224:root:89d]fam_auth_send_req:583 with server blacklist:
2020-11-12 14:26:45 [224:root:89d]fam_auth_send_req_internal:461 fnbam_auth return: 4
2020-11-12 14:26:45 [224:root:89d]Auth requires token
2020-11-12 14:26:47 [223:root:825]sslvpn_send_ctrl_msg:960 0x7fa66a9e00 message: heartbeat
2020-11-12 14:27:02 [223:root:825]sslvpn_send_ctrl_msg:960 0x7fa66a9e00 message: heartbeat
2020-11-12 14:27:03 [223:root:825]sslvpn_dtls_handle_client_data:736 0x7fa66a9e00 got heartbeat
2020-11-12 14:27:07 [224:root:89d]Timeout for connection 0x7fa648cf00.
2020-11-12 14:27:07 [224:root:89d]Destroy sconn 0x7fa648cf00, connSize=1. (root)
2020-11-12 14:27:17 [223:root:825]sslvpn_send_ctrl_msg:960 0x7fa66a9e00 message: heartbeat
>>> here it's waiting for token, no push auth is sent to mobile
>>> when I enter the token manually, it continues
2020-11-12 14:27:24 [223:root:825]sslvpn_dtls_handle_client_data:736 0x7fa66a9e00 got heartbeat
2020-11-12 14:27:32 [223:root:825]sslvpn_send_ctrl_msg:960 0x7fa66a9e00 message: heartbeat
2020-11-12 14:27:40 [223:root:8a1]allocSSLConn:289 sconn 0x7fa648cf00 (0:root)
2020-11-12 14:27:40 [223:root:8a1]SSL state:before SSL initialization (x.x.x.x)
2020-11-12 14:27:40 [223:root:8a1]SSL state:before SSL initialization (x.x.x.x)
2020-11-12 14:27:40 [223:root:8a1]got SNI server name: realm (null)



some fnbamd debug output:




2020-11-12 14:54:08 [3155] fnbamd_ldap_result-Skipping group matching
2020-11-12 14:54:08 [1002] find_matched_usr_grps-Skipped group matching
2020-11-12 14:54:08 [2887] fnbamd_fas_send_push-username:ivo, vdom:root, usertype:0, tfc=0, auth_type:16
2020-11-12 14:54:08 [181] fnbamd_comm_send_result-Sending result 7 (error 0, nid 0) for req 611519643
2020-11-12 14:54:08 [1290] freeze_auth_session-
>>> here it's waiting for token, push did not received, so entered manually:
2020-11-12 14:54:45 [2454] handle_req-Rcvd auth_token rsp for req 611519643
2020-11-12 14:54:45 [2499] handle_req-Check token '047720' with user 'ivo'
2020-11-12 14:54:45 [2518] handle_req-Verify(user=ivo vdom=root token_code=047720) returns 0
2020-11-12 14:54:45 [2555] handle_req-Token check succeeded. Orig auth ret 0
2020-11-12 14:54:45 [1002] find_matched_usr_grps-Skipped group matching
2020-11-12 14:54:45 [181] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 611519643
2020-11-12 14:54:45 [181] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 611519643
2020-11-12 14:54:45 [724] destroy_auth_session-delete session 611519643



P.S. FortiOS v6.2.3

P.P.S. Other token on the same phone is working fine and receiving push ath messages.





Update 13.11.2020:

The problem solved by itself. Push notifications work fine today.



Spooky. Thanks for update.

I do not like things which break and fix by itself, without me knowing what happened, what was root cause, and wat was needed to fix the thing. 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors