Technical Tip: FortiToken basic troubleshooting

dalon · ‎06-05-2015

Description

This article describes the first steps to take in case of FortiToken activation failure. If the configuration has been migrated from another unit, the tokens will not work unless they are completely removed first and then re-imported.

Scope

FortiGate.

Solution

Step 1: General view:

exec ping fds1.fortinet.com
exec ping directregistration.fortinet.com
show system central-management

The above servers must be reachable from FortiGate CLI. When a FortiManager manages the system, skip the next steps as the tokens should be provided by FortiManager itself.

Step 2: Current status check:

diag fortitoken info
diag test application forticldd 7
show user fortitoken

Step 3: Run the following command:

show full | grep -f FTK

If the token has the 'set seed...' displayed in 'show user', but it shows an error in 'fortitoken info', delete this FortiToken first.
If the token is displayed without the "set seed...", line can be activated as in step 5b.

Step 4: Turn on activation debugging:

diag debug reset

diag debug console time en

diag debug app forticldd 255

diag fortitoken debug enable

diag debug enable

diag debug info

FortiToken-200 is activated through the FortiGuard network and is locked upon first activation (one-time activation lock). If the Tokens lock was released recently, there is only one chance to activate and catch an error if an issue occurs.

Step 5a: If the Token was deleted as per step 3a., run only this command (and skip the activation):

config user fortitoken
edit <FortiTokenSN>
end

Step 5b: Otherwise, activate it:

exec fortitoken activate <FortiTokenSN>

diag fortitoken info | grep -v active

All tokens should be active and should have the seed in config:

diag fortitoken info
show user fortitoken
disable debug
diag debug reset
diag debug disable

To verify whether the FortiToken activation code is sending or not, collect the below command output:

sh system email-server

diag debug reset

diag debug appl alertmail -1

diag debug enable

After initiating the above commands, then select 'Send Activation Code' under User&Authentication -> User Definition -> Edit the user.

Additional troubleshooting related to License Activation Failure:

Error message on CLI and GUI

Step 1: Run the ''fortitoken debug':

diagnose debug disable

diagnose debug reset

diagnose debug console time enable

diagnose fortitoken debug enable

diagnose debug enable

Step 2: Get the logs:

[641] fds_ctx_set_addr: server: 173.243.138.68:443
[188] fds_svr_default_pickup_server: fdni: 173.243.138.68:443
[337] fds_send_reply: Sending 1005 bytes data.
[361] fds_send_reply: send reply failed: req-1, Connection refused

{ "d": { "__type": "SoftToken.ActivationLicenseRequest", "__version": "4", "license_activation_code": "DA8C-0508-1F31-4CF7-C990", "serial_number": "FG4H0ETB20900993", "__device_version": "6.0", "__device_build": "6325", "__clustered_sns": [ { "sn": "FG4H0ETB20900993" }, { "sn": "FG4H0E5819900260" } ] } }

ftm_fc_comm_recv_response[477]:receive packet from forticare success.

{"d":{"__type":"SoftToken.ActivationLicenseResponse","__version":"4","serial_number":"FG4H0ETB20900993","__device_version":"6.0","__device_build":"6325","__clustered_sns":[{"sn":"FG4H0E5819900260","error":null},{"sn":"FG4H0ETB20900993","error":null}],"license_activation_code":"DA8C-0508-1F31-4CF7-C990","license":"","tokens":null,"result":0,"error":{"error_code":14,"error_message":"forticare license expired"}}}

ftm_fc_command[564]:received error from forticare [-7564]
import fortitoken license error: -7564

Look for the error messages as shown on the log above 'error_message':

error_message":"forticare license expired

This log indicates the license code entered is expired. The solution here is to get a new license code and register it on the FortiGate.

Related article: