Hot!Can't unlock fortitoken-mobile

Author
ramunas
New Member
  • Total Posts : 15
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/02/20 04:10:52
  • Status: offline
2015/04/22 01:20:03 (permalink) 5.2
0

Can't unlock fortitoken-mobile

Hi all,
all fortigates have two trial licenses for fortitoken mobile. I have locked them and I can't unlcok them. A FTM Admin guide says: 
To unlock the locked token in FOS when FortiToken Mobile Provisioning Server is
reachable, use the following CLI command:
execute fortitoken-mobile renew <ftm-sn>
(By the way it is a terrible command - this command locked my fortitokens)
This command gives me an error: 
# execute fortitoken-mobile renew FTKMOB4517CAXXXX
renew softtoken FTKMOB4517CAD038 error -7567
(btw - I have seen log messages reference pdf. Is it avialable "cli error messages reference?")
How to check connection to FortiToken Mobile Provisioning Server ? I have ping to fds1.fortinet.com, but it isn't the same.
How to unlock fortitokens? ("set status active" don't work. The status in cli became active, but in GUI status=error )
Any ideas?
Thanks in advance,
Ramunas
#1

9 Replies Related Threads

    xsilver_FTNT
    Expert Member
    • Total Posts : 392
    • Scores: 63
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: Can't unlock fortitoken-mobile 2015/04/27 01:23:49 (permalink)
    0
    I'd suggest to :
    config user fortitoken
      edit <token-SN>
        set status active / lock    <== to switch between Locked and Available/Assigned (Unlocked in general) status
    end
     
    regarding the server status :
    1.
    FGT-VM64-1 (root) # diag fortitoken info
    FORTITOKEN       DRIFT  STATUS
    FTK20019UI7LZAF9 -60    active
    FTKMOB499F0D6AE2 0      provision timeout
    FTKMOB4910E74378 0      new

    Total activated token: 1
    Total global activated token: 1

    Token server status: reachable


    2.
    exec ping fds1.fortinet.com   <== FortiGuard for HW token registrations
    exec ping directregistration.fortinet.com  <== FortiCare Mobile token management


    #2
    ramunas
    New Member
    • Total Posts : 15
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/02/20 04:10:52
    • Status: offline
    Re: Can't unlock fortitoken-mobile 2015/04/27 21:45:44 (permalink)
    0
    Thank you for your answer. Set to active don't work. When I set "active" the status become "unknown" in CLI ("error" in GUI). If I set "lock", the status become locked in CLI and GUI)
    FGT40C3912039776 # execute ping fds1.fortinet.com
    PING fds1.fortinet.com (96.45.33.89): 56 data bytes
    64 bytes from 96.45.33.89: icmp_seq=0 ttl=51 time=191.6 ms
    64 bytes from 96.45.33.89: icmp_seq=1 ttl=51 time=191.7 ms
    64 bytes from 96.45.33.89: icmp_seq=2 ttl=51 time=191.9 ms
    64 bytes from 96.45.33.89: icmp_seq=3 ttl=51 time=191.8 ms
    64 bytes from 96.45.33.89: icmp_seq=4 ttl=51 time=191.9 ms

    --- fds1.fortinet.com ping statistics ---
    5 packets transmitted, 5 packets received, 0% packet loss
    round-trip min/avg/max = 191.6/191.7/191.9 ms

    FGT40C3912039776 # execute ping directregistration.fortinet.com
    PING directregistration.fortinet.com (208.91.113.68): 56 data bytes
    64 bytes from 208.91.113.68: icmp_seq=0 ttl=114 time=177.0 ms
    64 bytes from 208.91.113.68: icmp_seq=1 ttl=114 time=176.6 ms
    64 bytes from 208.91.113.68: icmp_seq=2 ttl=114 time=175.9 ms
    64 bytes from 208.91.113.68: icmp_seq=3 ttl=114 time=176.1 ms
    64 bytes from 208.91.113.68: icmp_seq=4 ttl=114 time=175.8 ms

    --- directregistration.fortinet.com ping statistics ---
    5 packets transmitted, 5 packets received, 0% packet loss
    round-trip min/avg/max = 175.8/176.2/177.0 ms

    FGT40C3912039776 # diag fortitoken info
    FORTITOKEN DRIFT STATUS
    FTKMOB45B42EBXXX 0 unknown
    FTKMOB4517CADXXX 0 unknown

    Total activated token: 0
    Total global activated token: 0
    Token server status: reachable
    #3
    murilo
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/09/18 12:31:06
    • Status: offline
    Re: Can't unlock fortitoken-mobile 2015/06/10 12:45:17 (permalink)
    0
    Hi, 
     
    here, unlock only after delete both fortitoken mobile 
     
    ===================
     
    1) Know your mobile tokens as this exemple...
     
    # config user fortitoken
    (fortitoken) # show full-configuration
                     edit "FTKMOB1111111111"      <-------------------------------
                           set status active
                           set seed ''
                           set comments ''
                           set license "FTMTRIAL00000000"
                           set activation-code ''
                           set activation-expire 0
                    next
                   edit "FTKMOB2222222222"      <-------------------------------
                          set status active
                          set seed ''
                          set comments ''
                          set license "FTMTRIAL00000000"
                          set activation-code ''
                          set activation-expire 0
                   next
              end
     
    2) Delete your Two mobile fortitokens...
    (fortitoken) # delete FTKMOB1111111111
    (fortitoken) # delete FTKMOB2222222222
    (fortitoken) # end
     
    3) Exit from "config user fortitoken" and import your two default fortitoken mobile again
    # execute fortitoken-mobile import 0000-0000-0000-0000-0000
     
    ===================
     
    PRO: unlock sucessfully
     
    PROBLEM: even if only one fortitoken is locked and the others are OK to unlock this unique fortitoken, you must delete all others.

    If anyone knows how to unlock without having to delete all fortitokens, please share with us.
    #4
    sdash_FTNT
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/06/12 02:43:25
    • Status: offline
    Re: Can't unlock fortitoken-mobile 2015/06/12 04:12:27 (permalink)
    0
    Hello,
     
    You can unlock a fortitoken without having to delete all the fortitokens. Please find the steps :
    For a specific Fortitoken FTKMOBAAAAAAAAAA ,
    # config user fortitoken
    (fortitoken) # edit FTKMOBAAAAAAAAAA
    FTKMOBAAAAAAAAAA# show full-configuration
    config user fortitoken
    edit "FTKMOBAAAAAAAAAA"
    set status active
    set seed ' '
    set comments ' '
    set license "FTMTRIAL00000000"
    set activation-code "XXXXXXXXXXXXXXXX"
    set activation-expire ' '
    next
    end
    (FTKMOBAAAAAAAAAA) # set status lock
    (FTKMOBAAAAAAAAAA) # end
     
     
    After the status is set to lock , it will show the status as "Locked" for that specific Fortitoken under User and device  > Fortitoken.
     
    You can unlock the same as per the commands below :
     
    #config user fortitoken
    (fortitoken) # edit FTKMOBAAAAAAAAAA
    (FTKMOBAAAAAAAAAA) # show full-configuration config user fortitoken
    edit "FTKMOBAAAAAAAAAA"
    set status lock
    set seed ""
    set comments ''
    set license "FTMTRIAL00000000"
    set activation-code "XXXXXXXXXXXXXXXX"
    set activation-expire ' '
    next
    end
    (FTKMOBAAAAAAAAAA) #set status active
    (FTKMOBAAAAAAAAAA) # end
     
     
    Please make sure under system > Config > fortiguard > Fortitoken seed server registration status shows reachable.
     
     
    #5
    ramunas
    New Member
    • Total Posts : 15
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/02/20 04:10:52
    • Status: offline
    Re: Can't unlock fortitoken-mobile 2015/06/12 04:37:23 (permalink)
    0
    Hello,
    no no it is wrong way. You can lock in this way, but can't unlock. Fortigate don't accept "set activation-code "xxxx"" which was entered manually. 
    I can confirm, that in my case worked only solution described in the previous post - only delete of all fortitokens helps..
    BR, Ramunas
    #6
    sdash_FTNT
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/06/12 02:43:25
    • Status: offline
    Re: Can't unlock fortitoken-mobile 2015/06/15 02:16:36 (permalink)
    0
    Hello,
     
      In my previous comment, I have displayed the entire default configuration of  mobile fortitoken (free) by entering the command "#Show full-configuration" for understanding and there was no manual entry for the activation-code . 
     
    Please note the above test was done on my end only for the Free Mobile tokens. 
     
    To be more specific , when the status is "lock" on the Free Mobile token, the only change we make on CLI is  :
     
    #config user fortitoken
    (fortitoken) # edit FTKMOBAAAAAAAAAA
    (FTKMOBAAAAAAAAAA) #set status active 
    (FTKMOBAAAAAAAAAA) # end
     
    #7
    murilo
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/09/18 12:31:06
    • Status: offline
    Re: Can't unlock fortitoken-mobile 2015/06/15 04:38:01 (permalink)
    0
    sdash_FTNT
    Hello,
     
      In my previous comment, I have displayed the entire default configuration of  mobile fortitoken (free) by entering the command "#Show full-configuration" for understanding and there was no manual entry for the activation-code . 
     
    Please note the above test was done on my end only for the Free Mobile tokens. 
     
    To be more specific , when the status is "lock" on the Free Mobile token, the only change we make on CLI is  :
     
    #config user fortitoken
    (fortitoken) # edit FTKMOBAAAAAAAAAA
    (FTKMOBAAAAAAAAAA) #set status active 
    (FTKMOBAAAAAAAAAA) # end
     

     
    sdash_FTNT,
     
    all the time when we have this problem, the first procedure are this (like ramunas try to), and don't work every time.
     
    the result here are the same as descript below by ramunas.
     
    ramunas
    Thank you for your answer. Set to active don't work. When I set "active" the status become "unknown" in CLI ("error" in GUI). If I set "lock", the status become locked in CLI and GUI)
     

     
    here, work only when delete the two free fortitoken mobile and "import" again (as descript in my first post)
     
    #8
    murilo
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/09/18 12:31:06
    • Status: offline
    Re: Can't unlock fortitoken-mobile 2015/06/15 04:40:24 (permalink)
    0
    FortiOS 5.0.9, 5.2.1 and 5.2.2
    #9
    sainusp
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/03/14 23:35:47
    • Status: offline
    Re: Can't unlock fortitoken-mobile 2019/03/14 23:46:55 (permalink)
    0
    If Firewall showing User & Device -> FortiTokens -> any Token status is Locked then go to CLI mode. then apply following commands
    FW-01 # config user fortitoken

    FW-01 (fortitoken) # edit <Token Serial Number>

    FW-01 (<Token Serial Number>) # set status active
    Then go to User & Device -> FortiTokens the locked token status will be show as error, (if not showing error then logout and relogin firewall)
    after status showing error the apply following CLI command

    FW-01 # execute fortitoken-mobile renew <Token Serial Number>
    Logout and re-login, then you will see status is available.
    #10
    Jump to:
    © 2019 APG vNext Commercial Version 5.5