Tomas-

Not sure I understand.  I have a list of 12 available tokens out of our pool of 200.  The other 188 are active.  If I try to provision a new user none of the 12 will work.  So during the migration from our FAC200D to FACVM, apparently because the FACVM was able to communicate with directregistration.fortinet.com BEFORE I downloaded and applied my FACVM license, those FREE FTMs were invalidated.  Why one is not able to re-register or reset the FTMs is beyond me and a major inconvenience.

BTW, there is NO warning regarding this in the latest (5.3) FortiAuthenticator documentation.  This should be in the release notes AND it should be noted prominently prior to the VM install section.

I just talked to my other Admin and there is another wrinkle.  Apparently after our upgrade the FAC did work for a few days.  I just tried several of our remaining tokens again and the 12 unassigned tokens don't work.

As a work around, we are enabling new users via email token which does work as their MFA.  Of course this isn't desirable if an email account is compromised, but is a good temporary fix.

Edit: I now suspect this was due to some sort of grace period before the FACVM vs the FTM assigned serial mismatch made them invalid. 

So resolution was Tech Support had to re-assign my FTMs to my new FACVM serial number.  This can only be done by customer service.  There was some trepidation that this would kill all of our FTMs (nearly 200 issued), but it does not appeared to have done so.  Once they did that, the free tokens became assignable and things started working again.

Another issue we discovered is the LDAP Browse for Remote LDAP servers definition DOES NOT WORK in 5.1.2, 5.2.2 and 5.3.1.  If you press it, it will indicate "failed query due to invalid credentials".  We wasted a lot of time on this until realizing it will NEVER work.  We have remote sync rules setup, and those DO allow you to browse the LDAP/AD directory so the Remote LDAP server definition is correct.  If we put a known bad password in this setting it broke the ability to browse in both locations.  Entering a proper password allows one to browse Remote Sync Rule definitions OUs, but not for the LDAP server definition.  It appears to be a GUI bug and TAC is looking into it.

Hi,

sorry, I assumed, wrongly, that when you have converted HW to VM unit (and got new serial number for that VM unit), that someone from Fortinet support (who made conversion) also handled tokens. Mobile tokens are bond to license and license is always bond to serial number of the unit where it was activated. Other units are unable to use same license. And that applies also to FortiToken Mobile. During any change like token assignment, FAC/FGT unit tells FortiGuard (that directregistration server) that certain token was assigned and someone will come from mobile device to pick it. Operation is protected by that activation code and unit which is trying to place such info to FortiGuard needs to be authorized to manipulate with mentioned token and it's validated via license check process.

As your VM did not had moved license from HW unit at the time, license validation was the failing part not allowing you to manipulate with those tokens.

The LDAP is another story and I believe TAC engineers will handle that.

PS: unit conversion is not usual process.

PS/2: There were FortiToken self-reset possibility on support site, primarily focused on RMA cases. And I'm not sure if it was from Mobile tokens as well, because the license reassignment is something not even TAC can do on their own.

Please can you tell me how did TAC converted your config to FACVM.    I opened a ticket and support guy told me this is unsuported and out of scope.  I need to pass from a VM to a 1000D appliance.

I had to provide a backup of my configuration.  They modified to work with the new serial number and I then had to reload it.  We went from a FAC200D to VM.  Not sure if you are saying you want to migrate from a 1000D to a VM or the other way around.  It may be the fact that it is only possible to convert from physical to virtual.

If you are moving from physical to virtual, make sure you have a full backup and snapshot of your VM before loading to ensure you can revert if something goes wrong.

You can have support review Ticket Number: 2784781  Here is what we did:

1. Backup hardware config, have Fortinet Convert.

2. Build new VM and boot.  You do not need to have it on the same IP as the config will restore the IP you are using on your hardware (if not, you may need to manually update after restoring, use VM Console to do so).

3.Power down your Physical FAC.

4. Use the converted config file to restore to the FACVM.  Make sure you have purchased a FACVM Base and User license to support the same number of users.  FACVM Base + User License (https://www.avfirewalls.com/FortiAuthenticator-Virtual-Appliance.asp)

5. Use the new serial number of the FACVM to generate a license file and register it and your user licenses with Fortinet Support.

6. Download the generated license file and apply it to your FAC VM.

I was specifically worried that doing it this way would truncated my FTKMobile codes but it didn't.  They all converted fine.