Troubleshooting and diagnosis
This section contains some common scenarios for FortiTokens troubleshooting and diagnosis:
- FortiToken Statuses
- Recovering trial FortiTokens
- Recovering lost Administrator FortiTokens
- SSL VPN with multi-factor authentication expiry timers
FortiToken Statuses
When troubleshooting FortiToken issues, it is important to understand different FortiToken statuses. FortiToken status may be retrieved either from the CLI or the GUI, with a slightly different naming convention.
Before you begin, verify that the FortiGate has Internet connectivity and is also connected to both the FortiGuard and registration servers:
# exec ping fds1.fortinet.com
# exec ping directregistration.fortinet.com
# exec ping globalftm.fortinet.net
The |
If there are connectivity issues, retrieving FortiToken statuses or performing FortiToken activation could fail. Therefore, troubleshoot connectivity issues before continuing.
To retrieve FortiToken statuses:
- From the CLI:
# diagnose fortitoken info
- From the GUI:
Go to User & Authentication > FortiTokens.
Various FortiToken statuses in either the CLI or the GUI may be described as follows:
CLI |
GUI |
Description |
---|---|---|
|
Available |
Newly added, not pending, not activated, not yet assigned. |
|
Assigned |
Assigned to a user, hardware token. |
|
Pending |
Assigned to a user and waiting for activation on the FortiToken Mobile app. |
|
Assigned |
Assigned to user and activated on the FortiToken Mobile app. |
|
|
Token provided to user but not activated on the FortiToken Mobile app. To fix, the token needs to be re-provisioned and activated in time. |
|
Error |
Token is locked by FortiGuard FDS. The hardware token was already activated on another device and locked by FDS. |
|
|
Either manually locked by an Administrator ( |
Recovering trial FortiTokens
You can recover trial FortiTokens if deleted from a FortiGate, or if stuck in a state where it is not possible to provision to a user.
When a token is stuck in an unusual state or with errors, delete the FortiTokens from the unit and proceed to recover trial FortiTokens.
To recover trial tokens via the GUI:
- Go to User & Authentication > FortiTokens.
- Click the Import Free Trial Tokens button at the top. The two free trial tokens are recovered.
To recover trial tokens via the CLI:
# execute fortitoken-mobile import 0000-0000-0000-0000-0000
|
Following error codes might come up in the CLI:
- If the device is not registered:
# exec fortitoken-mobile import 0000-0000-0000-0000-0000
import fortitoken license error: -7571
- If the serial number format is incorrect:
# exec fortitoken-mobile import 0000-0000-0000-0000-00
import fortitoken license error: -7566
Recovering lost Administrator FortiTokens
If an Administrator loses their FortiToken or the FortiToken is not working, they will not be able to log into the admin console through the GUI or the CLI. If there is another Administrator that can log into the device, they may be able to reset the two-factor settings configured for the first Administrator, or create a new Admin user for them. Note that a super_admin user will be able to edit other admin user settings, but a prof_admin user will not be able to edit super_admin settings.
In the case where there are no other administrators configured, the only option is to flash format the device and reload a backup config file. You must have console access to the device in order to format and flash the device. It is recommended to be physically on site to perform this operation.
The process of resetting an Admin user password using the maintainer account cannot be used to reset or disable two-factor authentication. |
Before formatting the device, verify that you have a backup config file. You may or may not have the latest config file backed up, though you should consider using a backed up config file, and reconfigure the rest of the recent changes manually. Otherwise, you may need to configure your device starting from the default factory settings.
To recover lost Administrator FortiTokens:
- If you have a backed up config file:
- Open the config file and search for the specific admin user. For representational purposes we will use
Test
in our example.# edit "Test"
set accprofile "super_admin"
set vdom "root"
set two-factor fortitoken
set fortitoken "FTKXXXXXXXXXX"
set email-to "admin@email.com"
set password ENC SH2BsE7VSvHKynpoY1nOupdfaefe/n+JaPrCMPFADY2U5kLUPnZwuitOpNz35YI=
next
end
- Once you find the settings for the
Test
user, delete thefortitoken
-related settings:# edit "Test"
set accprofile "super_admin"
set vdom "root"
set password ENC SH2BsE7VSvHKynpoY1nOupdfaefe/n+JaPrCMPFADY2U5kLUPnZwuitOpNz35YI=
next
end
- Open the config file and search for the specific admin user. For representational purposes we will use
- Format the boot device during a maintenance window and reload the firmware image using instructions in the Formatting and loading FortiGate firmware image using TFTP KB article.
- Once the reload is complete, log into the admin console from the GUI using the default admin user credentials, and go to Configuration > Restore from the top right corner to reload your config file created in Step 1 above.
- Once the FortiGate reboots and your configuration is restored, you can log in with your admin user credentials.
SSL VPN with multi-factor authentication expiry timers
When SSL VPN is configured with multi-factor authentication (MFA), sometimes you may require a longer token expiry time than the default 60 seconds.
To configure token expiry timers using the CLI:
# config system global
set two-factor-ftk-expiry <number of seconds>
set two-factor-ftm-expiry <number of seconds>
set two-factor-sms-expiry <number of seconds>
set two-factor-fac-expiry <number of seconds>
set two-factor-email-expiry <number of seconds>
end
These timers apply to the tokens themselves and remain valid for as long as configured above. However, SSL VPN does not necessarily accept tokens for the entire duration they are valid. To ensure SSLVPN accepts the token for longer durations, you need to configure the remote authentication timeout setting accordingly.
To configure the remote authentication timeout:
# config system global
set remoteauthtimeout <1-300 seconds>
end
SSL VPN waits for a maximum of five minutes for a valid token code to be provided before closing down the connection, even if the token code is valid for longer.
The |