Description
This article explains how to mitigate the error 'No valid token found - Provision token error: -7567' seen on GUI while assigning FortiToken-Mobile to a user account on the FortiGate.
- Check the available FortiToken:
#FGT # diagnose fortitoken info
FORTITOKEN DRIFT STATUS
FTKMOB76xxxxxxx1 0 provisioned
FTKMOB98XXXXXD49 0 new
FTKMOB76xxxxxxx3 0 new
FTKMOB76xxxxxxx4 0 new
- Check the 'no valid token found' error.
#FGT # diagnose fortitoken debug enable
Debug messages will be on for 30 minutes.
FGT # diagnose debug enable
# ftm_cfg_provision_token[363]:provision token: FTKMOB98XXXXXD49
ftm_fc_provision_token[760]:Provision token: FTKMOB98XXXXXD49
ftm_fc_cfg_set_fd_mgmt_vdom[48]:Using vfid=0 (mgmt:0 ha:3)
ftm_fc_comm_send_request[291]:send packet to forticare success.
POST /SoftToken/Provisioning.asmx/Process HTTP/1.1
Accept: application/json, text/javascript, */*, q=0.01
Content-Type: application/json;charset=utf-8
X-Requested-With: XMLHttpRequest
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: 96.45.36.92:443
Content-Length: 405
Connection: Keep-Alive
Cache-Control: no-cache
{ "d": { "__type": "SoftToken.ProvisionRequest", "__version": "4", "__device_version": "5.0", "__device_build": "1672", "serial_number": "FG100DxxxxxxxxxA", "__clustered_sns":
[ { "sn": " FG100DxxxxxxxxxA" }, { "sn": " FG100DxxxxxxxxxB" } ], "tokens": [ { "token": " FTKMOB98XXXXXD49", "seed": "A203Dxxxxxxxxxxxxxxxxxx", "code_expire": 4320, "type": "totp", "period": 60, "digits": 6 } ] } }
ftm_fc_comm_recv_response[477]:receive packet from forticare success.
{"d":{"__type":"SoftToken.ProvisionResponse","__version":"4","serial_number":" FG100DxxxxxxxxxA","__device_version":"5.0","__device_build":"1672","__clustered_sns":
[{"sn":" FG100DxxxxxxxxxB ","error":null},{"sn":" FG100DxxxxxxxxxA", "error":null}],"tokens":[{"token":" FTKMOB98XXXXXD49","license":null,"token_activation_code":null,"qr_code":null,"code_expire":null,"error":{"error_code":31,"error_message":"token does not belong to product"}}],"result":0,"error":{"error_code":17,"error_message":"no valid token found"}}}
ftm_fc_command[564]:received error from forticare [-7567]
The '-7567' error can occur if the configuration file is restored from a different FortiGate. This includes scenarios like migrating from one FortiGate unit to another manually (modifying the configuration file), using FortiConverter service to migrate configuration, and uploading a configuration file from one firewall to another one with a different serial number.
As each Serial Number is given 2 free FortiTokens after configuration restores the free FortiTokens from the original firewall will not be usable and they can be removed from the new firewall.
Scope
FortiGate.
Solution
Note.
If the FortiGate is running in HA, make sure the FortiTokens license are tied to Master serial number.
Delete the new FortiTokens on the FortiGate:
- Go to: Login GUI -> User & Device -> FortiTokens and elect the available Tokens
- Select 'Create New' and 'Mobile Token' and key in the activation code in the pdf file, that is available in the email from do-not-reply-contract@fortinet.com .
- The deleted FortiToken serial number will appear on the FortiGate again. Try to assign the FortiToken.
