Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Riggie
New Contributor III

Server unreachable error when user approves FortiToken on phone, new token temporarily solves this.

Hello,

 

We experience a weird issue with some of our users. We use FortiToken to enable 2FA, but sometimes user get a 'server unreachable' error message when approving their login attempt. Our FortiGate is available, and we're able to connect to it without any problems.

Whenever we remove the current FortiToken and re-invite the user (by scanning a new QR code) the problem is temporarily resolved.

 

Does anyone experience the same and/or does anyone know how to solve this?

We're have a FortiGate 100F running firmware 7.2.5 1517.

19 REPLIES 19
Keerthi_A
Staff
Staff

Hi @Riggie,

 

Could you collect the below logs to investigate further?


If possible, create a PCAP from the Android client.
The following application is unrelated to Fortinet, but it has been helpful for creating packet captures per application.
https://play.google.com/store/apps/details?id=com.emanuelef.remote_capture&hl=de&gl=US
Select the FortiToken Mobile application and reproduce the issue.

Run Debug at the same time in FGT:
diag debug console timestamp enable
diag debug app forticldd -1
diag debug app ftm-push
diag fortitoken debug enable
diag debug enable

 

post reproducing the issue, disable debug using the below command

diag debug disable

diag debug reset

Riggie
New Contributor III

Hello,

Thanks for your answer.

I've got the generated files but I want to share these privately as they contain IP-addresses and such. Is there a way to securely share them with you? My own SSL-VPN account also got hit with this problem. The other token that I use for a different FortiGate admin account is still able to process the FortiToken.

FortiNet_Newb

I've been battling this off and on for the past few months.

 

On the problematic devices, after hitting approve after receiving the FortiToken push notification, using the debug commands above the following error is being logged in the console: ssl accept error:1

 

Any ideas on what this indicates and what could cause this?

 

Thanks!

Riggie
New Contributor III

Hello,

I've got the PCAP and other support files, but I wish to share them privately as they contain sensitive information. Is there someone from staff where I can send the files to?

 

seanmd
New Contributor II

I've been battling the same issues, did you end up finding a resolution? 

Sean Donnelly
Sean Donnelly
FortiNet_Newb
Contributor

This is still an ongoing issue for us.  All of our users have the same configuration/equipment/cell phones, all users are on the same cell provider, etc.  It happens if the phone is connected via wi-fi or cellular service and it effects about 15% of our users (including myself).  Sometimes switching tokens makes it work temporarily, other times it doesn't.  

 

On the problematic tokens, after hitting approve after receiving the FortiToken push notification, using the debug commands above the following error is being logged in the console: ssl accept error:1

 

Any ideas on what this indicates and what could cause this?  It's really odd to me that this only effects some users and not all.

 

Thanks!

Radomir

Hi, we have the same issue and the same error in the debug "ssl accept error:1"

Did you get it fixed? thx

FortiNet_Newb

Nope, still have the same issue.  Anytime I have to reboot the Firewall (either due to a new firmware update or other reason), the same users always immediately start receiving the same error again and I have to re-assign them a different token to get them functioning normally again.  It's very frustrating.

pminarik

1, How is the FortiGate's address configured for push-notification responses?

> show system ftm-push

 

2, Does your FortiGate's IP change when restarting it? (sounds like it might? Dynamic IP being assigned by the ISP maybe?)

[ corrections always welcome ]
FortiNet_Newb

config system ftm-push
 > set server-cert "Fortinet_Factory"
 > set server XXX.XXX.XXX.XXX (Our Fortigate's Public IP Address)
 > set status enable
end

 

Our Fortigate's IP does not change when restarting.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors