Failed to retrieve FortiToken Cloud status

tuncaybas FortiGate

This article describes steps to take when the error ‘Failed to retrieve FortiToken Cloud status’ appears in the FortiGate GUI.

This error may show when assigning a FortiToken Cloud to a user from the FortiGate GUI.

ftk1.png

 

 

Scope

 

FortiOS.

 

Solution

 

  • Ensure to have connectivity to the FortiGuard server from the management VDOM. It is also possible to check if there is a red banner on the GUI dashboard saying ‘Unable to connect to FortiGuard server’. If this is the case, refer to Troubleshooting Tip: Unable to connect to FortiGuard servers.

  • Check the DNS settings, so that at least one of the two DNS servers is a public DNS server. Note that the pre-populated servers 96.45.45.45 or 96.45.46.46 only work with DOT and DOH protocols, so it is possible to use a different public DNS server IP as desired.

 

ftk2.png

 

  • Alternatively, change the protocol from dot or cleartext in the DNS global setting on the FortiGate:

config system dns

    set protocol cleartext 

end 

 

  • Make sure to set the minimum TLS version to 1.2 since FortiToken Cloud does not support TLS v1.3 yet:

config system global 

    set ssl-min-proto-ver TLSv1-2 

end 

 

  • Check for the FortiToken Cloud server by executing the commands:

 

diagnose fortitoken-cloud show service

3.PNG

 

diagnose fortitoken-cloud server

ftk3.png

 

If the output returns the server IP with port 8686, it means that the firewall is connected to the FortiToken Cloud server.

 

  •  Check the DNS settings on FortiGate and connectivity to FortiCloud FQDN:

 

execute ping logctrl1.fortinet.com
PING logctrl1.fortinet.com (154.52.17.92): 56 data bytes
64 bytes from 154.52.17.92: icmp_seq=0 ttl=55 time=59.1 ms

 

  • If the DNS can resolve without any issue that confirms the connectivity the next steps would be to check the output for the below commands:

 

diagnose test application forticldd 1

diagnose test application forticldd 3

For the non-working scenario, the output would be as below where it would be missing the account information:

 

diagnose test application forticldd 1
System=FGT Platform=FG4H0F
Connection vdom: root, id=0, ha=primary.
acct_id=
acct_st=Logged Out <– This should have the FortiCloud account information.

FortiGuard interface selection: method=auto specify=FortiGuard log: status=disabled, full=overwrite, ssl_opt=1, source-ip=0.0.0.0

 

If it does not show the account information, try to re-connect the cloud account:

 

execute fortiguard-log login <email> <password> <domain>  <– Domain can be Global/US/Europe.

For the working scenario, the output would be something like below:

 

diagnose test application forticldd 1
System=FGT Platform=Fortigate_Model
Management vdom: root, id=0,  ha=master.
acct_id=User_ID@company_id.com
acct_st=OK <– For a working scenario it will show the account information.
FortiGuard log: status=enabled, full=overwrite, ssl_opt=3, source-ip=0.0.0.0
Centra Management: type=FGD, flags=000000bf.
active-tasks=0

diagnose test application forticldd 3
Debug zone info:
Domain:GLOBAL
Home log server: 173.243.132.171:514
Alt log server: 173.243.132.132:514
Active Server IP: 173.243.132.132
Active Server status: unknown
Log quota: 3145728MB
Log used: 0MB
Daily volume: 20480MB
fams archive pause: 0
APTContract : 0
APT server: 0.0.0.0:0
APT Altserver: 0.0.0.0:0
Active APTServer IP: 0.0.0.0
Active APTServer status: unknown

 

Once it shows the account information updated, FortiGate should be able to connect the FortiCloud without any issues and able to retrieve the tokens from the Cloud account.

168 total views, 4 views today

tuncaybas