Hello,
We experience a weird issue with some of our users. We use FortiToken to enable 2FA, but sometimes user get a 'server unreachable' error message when approving their login attempt. Our FortiGate is available, and we're able to connect to it without any problems.
Whenever we remove the current FortiToken and re-invite the user (by scanning a new QR code) the problem is temporarily resolved.
Does anyone experience the same and/or does anyone know how to solve this?
We're have a FortiGate 100F running firmware 7.2.5 1517.
Hi @Riggie,
Could you collect the below logs to investigate further?
If possible, create a PCAP from the Android client.
The following application is unrelated to Fortinet, but it has been helpful for creating packet captures per application.
https://play.google.com/store/apps/details?id=com.emanuelef.remote_capture&hl=de&gl=US
Select the FortiToken Mobile application and reproduce the issue.
Run Debug at the same time in FGT:
diag debug console timestamp enable
diag debug app forticldd -1
diag debug app ftm-push
diag fortitoken debug enable
diag debug enable
post reproducing the issue, disable debug using the below command
diag debug disable
diag debug reset
Created on 11-08-2023 06:26 AM Edited on 11-08-2023 06:33 AM
Hello,
Thanks for your answer.
I've got the generated files but I want to share these privately as they contain IP-addresses and such. Is there a way to securely share them with you? My own SSL-VPN account also got hit with this problem. The other token that I use for a different FortiGate admin account is still able to process the FortiToken.
I've been battling this off and on for the past few months.
On the problematic devices, after hitting approve after receiving the FortiToken push notification, using the debug commands above the following error is being logged in the console: ssl accept error:1
Any ideas on what this indicates and what could cause this?
Thanks!
Hello,
I've got the PCAP and other support files, but I wish to share them privately as they contain sensitive information. Is there someone from staff where I can send the files to?
I've been battling the same issues, did you end up finding a resolution?
This is still an ongoing issue for us. All of our users have the same configuration/equipment/cell phones, all users are on the same cell provider, etc. It happens if the phone is connected via wi-fi or cellular service and it effects about 15% of our users (including myself). Sometimes switching tokens makes it work temporarily, other times it doesn't.
On the problematic tokens, after hitting approve after receiving the FortiToken push notification, using the debug commands above the following error is being logged in the console: ssl accept error:1
Any ideas on what this indicates and what could cause this? It's really odd to me that this only effects some users and not all.
Thanks!
Hi, we have the same issue and the same error in the debug "ssl accept error:1"
Did you get it fixed? thx
Nope, still have the same issue. Anytime I have to reboot the Firewall (either due to a new firmware update or other reason), the same users always immediately start receiving the same error again and I have to re-assign them a different token to get them functioning normally again. It's very frustrating.
Created on 11-25-2024 08:50 AM Edited on 11-25-2024 08:50 AM
1, How is the FortiGate's address configured for push-notification responses?
> show system ftm-push
2, Does your FortiGate's IP change when restarting it? (sounds like it might? Dynamic IP being assigned by the ISP maybe?)
config system ftm-push
> set server-cert "Fortinet_Factory"
> set server XXX.XXX.XXX.XXX (Our Fortigate's Public IP Address)
> set status enable
end
Our Fortigate's IP does not change when restarting.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.