Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
edoutreleau
New Contributor

FortiToken clock drift detected (code: 086447).

Hi

when i want to use my hard fortitoken 200 to acces my vpn i got the following message

 

 FortiToken clock drift detected (code: 086447). Please input the next code and continue

 

but when i go to my fortigate and i type 

diag fortitoken info |

 

i got 

FTKxxxxxxxxxx 0 active 

 

how can i adjust the clock of my fortitoken 200? 

5 REPLIES 5
live89
Contributor

Have you tried this KB:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD46341

 

As far as I know it should show provisioned state ...

Thanks

Thanks
edoutreleau

Hi

I have already see this KB but i really don't know what i should do with that.

There s nothing i can do if i have fortitoken200 with a fortigate.

 

the only sync command available are fro fortiauthenticator or fortitoken mobile 

live89

Is this new implementation or it has worked before and suddenly stopped working?

Also have you tried to re-activate the fortitoken?

Thanks

Thanks
edoutreleau

Hi

 

well we have around 60 fortitoken 200 and only some doesn't work. But i can't say if thet have work one day.

i have tried to activate again that token but it told me that they were already activated and i don't see a way to desactivate it. 

xsilver_FTNT
Staff
Staff

@ac89live  idea is the same, but FTK200 is HARDWARE and not MOBILE token and therefore do have a little bit different statuses.

 

However to original post ..  1. drift is difference between clock inside token (device, for mobile, or hw clock in hardware models like 200-211-220)

2. FortiGate/FortiAuthenticator should have system time synced by NTP

3. regardless of NTP sync a clock in token can get out of auto-correction window and so message requesting two consecutive codes for manual sync is shown. That might also happen during first/initial deployment, and so I'd suggest/recommend to admin to sync tokens before handing them over to users

 

How-to:

# execute fortitoken sync <tokenId=SN> <code1> <code2> - where code1 and code2 have to be consecutive token codes, one after another, so in 60 sec interval (default for HW tokens)

 

Numbers in DRIFT column on GUI or in 'diag fortitoken info' show how many cycles is token's clock ahead or behind system clock in FGT/FAC.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Labels
Top Kudoed Authors