Technical Tip: FortiAuthenticator-VM: 'Unable to provision token' error

jskrivan · ‎06-26-2013

Description

This article describes when a FortiAuthenticator unit is first configured, two free FortiToken Mobile tokens are provisioned for use. These FortiToken Mobile serials are associated with the serial number of the FortiAuthenticator unit they were downloaded to.

With FortiAuthenticator-VM software, however, the initial serial number of all VMs is FAC-VM0000000000 and the serial will change on the application of a valid license. When this happens, the free tokens which were assigned to the default unlicensed serial FAC-VM0000000000 will not be able to be provisioned to a new user and will generate the error:

'Unable to provision token <Token Serial>. No valid tokens found. Your changes have been rolled back. Please try again later. Token locked.'

The logs will also display:

FTM provision error: server returned the error 'No valid tokens found (17)'.

This is a security measure to prevent a FortiAuthenticator unit from provisioning a token, which was not properly assigned to it.

Scope

FortiAuthenticator-VM.

Solution

To avoid this issue in the first place, a newly deployed FortiAuthenticator-VM instance should be initially configured without a default route and the license uploaded before the software has the opportunity to download the free FortiToken Mobile licenses. This way, when the default route is applied, the FortiAuthenticator will request the 2 free licenses with the correct serial number.

To recover after this issue has already occurred, perform a factory reset (factory-reset on the CLI), and then follow the procedure above.

Note: Restoring a previously saved configuration following a factory reset will result in the old serial numbers being applied, and therefore should not be attempted as a resolution in this case.