Hot!Here's a major FACVM Gotcha to watch out for.

Author
seadave
Gold Member
  • Total Posts : 283
  • Scores: 30
  • Reward points: 0
  • Joined: 2004/11/03 18:02:09
  • Location: Seattle, WA
  • Status: offline
2018/07/09 20:47:26 (permalink) 5.2
0

Here's a major FACVM Gotcha to watch out for.

http://kb.fortinet.com/kb/documentLink.do?externalID=FD34405
 
We had a FAC200D, and the TAC converted our config to load on a FACVM.  Not one said, "Hey don't let the FACVM communicate outbound before you re-load your converted config...".
 
So we have 12 tokens now that we can't provision.  I've spent a good part of my day researching what I thought to be an LDAP error before finding the above link.
#1

7 Replies Related Threads

    seadave
    Gold Member
    • Total Posts : 283
    • Scores: 30
    • Reward points: 0
    • Joined: 2004/11/03 18:02:09
    • Location: Seattle, WA
    • Status: offline
    Re: Here's a major FACVM Gotcha to watch out for. 2018/07/09 20:50:36 (permalink)
    0
    Look for these log errors:
     
    System 30909 FTM provision error: server returned error: "No valid tokens found(17)" admin
    System 30909 FTM provision error: invalid server response: some requested token not properly answered: FTKMOB#####...
    #2
    xsilver_FTNT
    Expert Member
    • Total Posts : 362
    • Scores: 61
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: Here's a major FACVM Gotcha to watch out for. 2018/07/10 00:36:41 (permalink)
    0
    Hi,
    as the issue is caused by two trial tokens, then when you are in the situation with errors .. how about to simply delete those two trial tokens ? Those associated with FACVM0000 SN should stop causing any issue. And if you count with those two tokens then you should be able to clieck 'Create New' and select check box "Get FortiToken Mobile free trial tokens" to get two trial tokens associated/issued now for your FAC VM SN ?
     
    Kind regards,
    Tomas

    Kind Regards,
    Tomas
    #3
    seadave
    Gold Member
    • Total Posts : 283
    • Scores: 30
    • Reward points: 0
    • Joined: 2004/11/03 18:02:09
    • Location: Seattle, WA
    • Status: offline
    Re: Here's a major FACVM Gotcha to watch out for. 2018/07/10 07:37:24 (permalink)
    0
    Tomas-
     
    Not sure I understand.  I have a list of 12 available tokens out of our pool of 200.  The other 188 are active.  If I try to provision a new user none of the 12 will work.  So during the migration from our FAC200D to FACVM, apparently because the FACVM was able to communicate with directregistration.fortinet.com BEFORE I downloaded and applied my FACVM license, those FREE FTMs were invalidated.  Why one is not able to re-register or reset the FTMs is beyond me and a major inconvenience.
    #4
    seadave
    Gold Member
    • Total Posts : 283
    • Scores: 30
    • Reward points: 0
    • Joined: 2004/11/03 18:02:09
    • Location: Seattle, WA
    • Status: offline
    Re: Here's a major FACVM Gotcha to watch out for. 2018/07/10 07:56:09 (permalink)
    0
    BTW, there is NO warning regarding this in the latest (5.3) FortiAuthenticator documentation.  This should be in the release notes AND it should be noted prominently prior to the VM install section.
     
    #5
    seadave
    Gold Member
    • Total Posts : 283
    • Scores: 30
    • Reward points: 0
    • Joined: 2004/11/03 18:02:09
    • Location: Seattle, WA
    • Status: offline
    Re: Here's a major FACVM Gotcha to watch out for. 2018/07/10 09:17:02 (permalink)
    0
    I just talked to my other Admin and there is another wrinkle.  Apparently after our upgrade the FAC did work for a few days.  I just tried several of our remaining tokens again and the 12 unassigned tokens don't work.
     
    As a work around, we are enabling new users via email token which does work as their MFA.  Of course this isn't desirable if an email account is compromised, but is a good temporary fix.
     
    Edit: I now suspect this was due to some sort of grace period before the FACVM vs the FTM assigned serial mismatch made them invalid. 
    post edited by seadave - 2018/07/10 18:29:03
    #6
    seadave
    Gold Member
    • Total Posts : 283
    • Scores: 30
    • Reward points: 0
    • Joined: 2004/11/03 18:02:09
    • Location: Seattle, WA
    • Status: offline
    Re: Here's a major FACVM Gotcha to watch out for. 2018/07/10 18:25:22 (permalink)
    0
    So resolution was Tech Support had to re-assign my FTMs to my new FACVM serial number.  This can only be done by customer service.  There was some trepidation that this would kill all of our FTMs (nearly 200 issued), but it does not appeared to have done so.  Once they did that, the free tokens became assignable and things started working again.
     
    Another issue we discovered is the LDAP Browse for Remote LDAP servers definition DOES NOT WORK in 5.1.2, 5.2.2 and 5.3.1.  If you press it, it will indicate "failed query due to invalid credentials".  We wasted a lot of time on this until realizing it will NEVER work.  We have remote sync rules setup, and those DO allow you to browse the LDAP/AD directory so the Remote LDAP server definition is correct.  If we put a known bad password in this setting it broke the ability to browse in both locations.  Entering a proper password allows one to browse Remote Sync Rule definitions OUs, but not for the LDAP server definition.  It appears to be a GUI bug and TAC is looking into it.
     
    #7
    xsilver_FTNT
    Expert Member
    • Total Posts : 362
    • Scores: 61
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: Here's a major FACVM Gotcha to watch out for. 2018/07/10 22:53:04 (permalink)
    0
    Hi,
    sorry, I assumed, wrongly, that when you have converted HW to VM unit (and got new serial number for that VM unit), that someone from Fortinet support (who made conversion) also handled tokens. Mobile tokens are bond to license and license is always bond to serial number of the unit where it was activated. Other units are unable to use same license. And that applies also to FortiToken Mobile. During any change like token assignment, FAC/FGT unit tells FortiGuard (that directregistration server) that certain token was assigned and someone will come from mobile device to pick it. Operation is protected by that activation code and unit which is trying to place such info to FortiGuard needs to be authorized to manipulate with mentioned token and it's validated via license check process.
    As your VM did not had moved license from HW unit at the time, license validation was the failing part not allowing you to manipulate with those tokens.
     
    The LDAP is another story and I believe TAC engineers will handle that.
     
    PS: unit conversion is not usual process.
     
    PS/2: There were FortiToken self-reset possibility on support site, primarily focused on RMA cases. And I'm not sure if it was from Mobile tokens as well, because the license reassignment is something not even TAC can do on their own.

    Kind Regards,
    Tomas
    #8
    Jump to:
    © 2018 APG vNext Commercial Version 5.5