Fortinet black logo

Administration Guide

Troubleshooting and diagnosis

Troubleshooting and diagnosis

This section contains some common scenarios for FortiTokens troubleshooting and diagnosis:

FortiToken Statuses

When troubleshooting FortiToken issues, it is important to understand different FortiToken statuses. FortiToken status may be retrieved either from the CLI or the GUI, with a slightly different naming convention.

Before you begin, verify that the FortiGate has Internet connectivity and is also connected to both the FortiGuard and registration servers:

# execute ping fds1.fortinet.com

# execute ping directregistration.fortinet.com

# execute ping globalftm.fortinet.net

Note

The globalftm.fortinet.net server is the Fortinet Anycast server added in FortiOS 6.4.2.

If there are connectivity issues, retrieving FortiToken statuses or performing FortiToken activation could fail. Therefore, troubleshoot connectivity issues before continuing.

To retrieve FortiToken statuses:
  • In the CLI:

    # diagnose fortitoken info

  • In the GUI:

    Go to User & Authentication > FortiTokens.

Various FortiToken statuses in either the CLI or the GUI may be described as follows:

CLI

GUI

Description

new

Available

Newly added, not pending, not activated, not yet assigned.

active

Assigned

Assigned to a user, hardware token.

provisioning

Pending

Assigned to a user and waiting for activation on the FortiToken Mobile app.

provisioned

Assigned

Assigned to user and activated on the FortiToken Mobile app.

provision timeout

Token provided to user but not activated on the FortiToken Mobile app. To fix, the token needs to be re-provisioned and activated in time.

token already activated, and seed won't be returned

Error

Token is locked by FortiGuard FDS. The hardware token was already activated on another device and locked by FDS.

locked

Either manually locked by an Administrator (set status lock), or locked automatically, for example, when the token is unassigned and the FortiCare FTM provisioning server was unreachable to process that change.

Recovering trial FortiTokens

You can recover trial FortiTokens if deleted from a FortiGate, or if stuck in a state where it is not possible to provision to a user.

When a token is stuck in an unusual state or with errors, delete the FortiTokens from the unit and proceed to recover trial FortiTokens.

To recover trial tokens via the GUI:
  1. Go to User & Authentication > FortiTokens.
  2. Click the Import Free Trial Tokens button at the top. The two free trial tokens are recovered.
To recover trial tokens via the CLI:

# execute fortitoken-mobile import 0000-0000-0000-0000-0000

Note
  • Before attempting to recover the trial tokens, both the tokens should be deleted from the unit first.
  • If VDOMs are enabled, trial tokens are in the management VDOM (root by default).
Following error codes might come up in the CLI:
  • If the device is not registered:

    # execute fortitoken-mobile import 0000-0000-0000-0000-0000

    import fortitoken license error: -7571

  • If the serial number format is incorrect:

    # execute fortitoken-mobile import 0000-0000-0000-0000-00

    import fortitoken license error: -7566

Recovering lost Administrator FortiTokens

If an Administrator loses their FortiToken or the FortiToken is not working, they will not be able to log into the admin console through the GUI or the CLI. If there is another Administrator that can log into the device, they may be able to reset the two-factor settings configured for the first Administrator, or create a new Admin user for them. Note that a super_admin user will be able to edit other admin user settings, but a prof_admin user will not be able to edit super_admin settings.

In the case where there are no other administrators configured, the only option is to flash format the device and reload a backup config file. You must have console access to the device in order to format and flash the device. It is recommended to be physically on site to perform this operation.

Note

The process of resetting an Admin user password using the maintainer account cannot be used to reset or disable two-factor authentication.

Before formatting the device, verify that you have a backup config file. You may or may not have the latest config file backed up, though you should consider using a backed up config file, and reconfigure the rest of the recent changes manually. Otherwise, you may need to configure your device starting from the default factory settings.

To recover lost Administrator FortiTokens:
  1. If you have a backed up config file:
    1. Open the config file and search for the specific admin user. For representational purposes we will use Test in our example.

      # edit "Test"

      set accprofile "super_admin"

      set vdom "root"

      set two-factor fortitoken

      set fortitoken "FTKXXXXXXXXXX"

      set email-to "admin@email.com"

      set password *********

      next

      end

    2. Once you find the settings for the Test user, delete the fortitoken-related settings:

      # edit "Test"

      set accprofile "super_admin"

      set vdom "root"

      set password *********

      next

      end

  2. Format the boot device during a maintenance window and reload the firmware image using instructions in the Formatting and loading FortiGate firmware image using TFTP KB article.
  3. Once the reload is complete, log into the admin console from the GUI using the default admin user credentials, and go to Configuration > Restore from the top right corner to reload your config file created in Step 1 above.
  4. Once the FortiGate reboots and your configuration is restored, you can log in with your admin user credentials.

SSL VPN with multi-factor authentication expiry timers

When SSL VPN is configured with multi-factor authentication (MFA), sometimes you may require a longer token expiry time than the default 60 seconds.

To configure token expiry timers using the CLI:
config system global
    set two-factor-ftk-expiry <number of seconds>
    set two-factor-ftm-expiry <number of seconds>
    set two-factor-sms-expiry <number of seconds>
    set two-factor-fac-expiry <number of seconds>
    set two-factor-email-expiry <number of seconds>
end

These timers apply to the tokens themselves and remain valid for as long as configured above. However, SSL VPN does not necessarily accept tokens for the entire duration they are valid. To ensure SSLVPN accepts the token for longer durations, you need to configure the remote authentication timeout setting accordingly.

To configure the remote authentication timeout:
config system global
    set remoteauthtimeout <1-300 seconds>
end

SSL VPN waits for a maximum of five minutes for a valid token code to be provided before closing down the connection, even if the token code is valid for longer.

Note

The remoteauthtimout setting shows how long SSL VPN waits not only for a valid token to be provided before closing down the connection, but also for other remote authentication like LDAP, RADIUS, and so on.

Troubleshooting and diagnosis

This section contains some common scenarios for FortiTokens troubleshooting and diagnosis:

FortiToken Statuses

When troubleshooting FortiToken issues, it is important to understand different FortiToken statuses. FortiToken status may be retrieved either from the CLI or the GUI, with a slightly different naming convention.

Before you begin, verify that the FortiGate has Internet connectivity and is also connected to both the FortiGuard and registration servers:

# execute ping fds1.fortinet.com

# execute ping directregistration.fortinet.com

# execute ping globalftm.fortinet.net

Note

The globalftm.fortinet.net server is the Fortinet Anycast server added in FortiOS 6.4.2.

If there are connectivity issues, retrieving FortiToken statuses or performing FortiToken activation could fail. Therefore, troubleshoot connectivity issues before continuing.

To retrieve FortiToken statuses:
  • In the CLI:

    # diagnose fortitoken info

  • In the GUI:

    Go to User & Authentication > FortiTokens.

Various FortiToken statuses in either the CLI or the GUI may be described as follows:

CLI

GUI

Description

new

Available

Newly added, not pending, not activated, not yet assigned.

active

Assigned

Assigned to a user, hardware token.

provisioning

Pending

Assigned to a user and waiting for activation on the FortiToken Mobile app.

provisioned

Assigned

Assigned to user and activated on the FortiToken Mobile app.

provision timeout

Token provided to user but not activated on the FortiToken Mobile app. To fix, the token needs to be re-provisioned and activated in time.

token already activated, and seed won't be returned

Error

Token is locked by FortiGuard FDS. The hardware token was already activated on another device and locked by FDS.

locked

Either manually locked by an Administrator (set status lock), or locked automatically, for example, when the token is unassigned and the FortiCare FTM provisioning server was unreachable to process that change.

Recovering trial FortiTokens

You can recover trial FortiTokens if deleted from a FortiGate, or if stuck in a state where it is not possible to provision to a user.

When a token is stuck in an unusual state or with errors, delete the FortiTokens from the unit and proceed to recover trial FortiTokens.

To recover trial tokens via the GUI:
  1. Go to User & Authentication > FortiTokens.
  2. Click the Import Free Trial Tokens button at the top. The two free trial tokens are recovered.
To recover trial tokens via the CLI:

# execute fortitoken-mobile import 0000-0000-0000-0000-0000

Note
  • Before attempting to recover the trial tokens, both the tokens should be deleted from the unit first.
  • If VDOMs are enabled, trial tokens are in the management VDOM (root by default).
Following error codes might come up in the CLI:
  • If the device is not registered:

    # execute fortitoken-mobile import 0000-0000-0000-0000-0000

    import fortitoken license error: -7571

  • If the serial number format is incorrect:

    # execute fortitoken-mobile import 0000-0000-0000-0000-00

    import fortitoken license error: -7566

Recovering lost Administrator FortiTokens

If an Administrator loses their FortiToken or the FortiToken is not working, they will not be able to log into the admin console through the GUI or the CLI. If there is another Administrator that can log into the device, they may be able to reset the two-factor settings configured for the first Administrator, or create a new Admin user for them. Note that a super_admin user will be able to edit other admin user settings, but a prof_admin user will not be able to edit super_admin settings.

In the case where there are no other administrators configured, the only option is to flash format the device and reload a backup config file. You must have console access to the device in order to format and flash the device. It is recommended to be physically on site to perform this operation.

Note

The process of resetting an Admin user password using the maintainer account cannot be used to reset or disable two-factor authentication.

Before formatting the device, verify that you have a backup config file. You may or may not have the latest config file backed up, though you should consider using a backed up config file, and reconfigure the rest of the recent changes manually. Otherwise, you may need to configure your device starting from the default factory settings.

To recover lost Administrator FortiTokens:
  1. If you have a backed up config file:
    1. Open the config file and search for the specific admin user. For representational purposes we will use Test in our example.

      # edit "Test"

      set accprofile "super_admin"

      set vdom "root"

      set two-factor fortitoken

      set fortitoken "FTKXXXXXXXXXX"

      set email-to "admin@email.com"

      set password *********

      next

      end

    2. Once you find the settings for the Test user, delete the fortitoken-related settings:

      # edit "Test"

      set accprofile "super_admin"

      set vdom "root"

      set password *********

      next

      end

  2. Format the boot device during a maintenance window and reload the firmware image using instructions in the Formatting and loading FortiGate firmware image using TFTP KB article.
  3. Once the reload is complete, log into the admin console from the GUI using the default admin user credentials, and go to Configuration > Restore from the top right corner to reload your config file created in Step 1 above.
  4. Once the FortiGate reboots and your configuration is restored, you can log in with your admin user credentials.

SSL VPN with multi-factor authentication expiry timers

When SSL VPN is configured with multi-factor authentication (MFA), sometimes you may require a longer token expiry time than the default 60 seconds.

To configure token expiry timers using the CLI:
config system global
    set two-factor-ftk-expiry <number of seconds>
    set two-factor-ftm-expiry <number of seconds>
    set two-factor-sms-expiry <number of seconds>
    set two-factor-fac-expiry <number of seconds>
    set two-factor-email-expiry <number of seconds>
end

These timers apply to the tokens themselves and remain valid for as long as configured above. However, SSL VPN does not necessarily accept tokens for the entire duration they are valid. To ensure SSLVPN accepts the token for longer durations, you need to configure the remote authentication timeout setting accordingly.

To configure the remote authentication timeout:
config system global
    set remoteauthtimeout <1-300 seconds>
end

SSL VPN waits for a maximum of five minutes for a valid token code to be provided before closing down the connection, even if the token code is valid for longer.

Note

The remoteauthtimout setting shows how long SSL VPN waits not only for a valid token to be provided before closing down the connection, but also for other remote authentication like LDAP, RADIUS, and so on.