Home

Troubleshooting FortiClient VPN Error 7105: Resolving "Token Denied or Timeout" Issues

.

In the world of secure remote access, few things are as frustrating as a "stuck" connection. For IT professionals and remote workers using Fortinet’s ecosystem, Error 7105 is a common hurdle. Typically appearing as "Token denied or timeout," this error interrupts the SSL VPN tunnel establishment just as the user is expected to authenticate. This article breaks down why this error occurs and how to resolve it permanently.

What is FortiClient Error 7105?

Error 7105 is specifically associated with the Multi-Factor Authentication (MFA) phase of a VPN connection. It occurs when the FortiGate (the firewall acting as the VPN gateway) fails to receive a valid confirmation from the FortiToken Mobile (FTM) app or the physical token within the allotted time frame.

When a user attempts to log in, the FortiGate sends a "Push" notification or waits for a 6-digit code. If that communication loop is broken, the FortiClient console triggers the 7105 status.

Common Causes of the "Token Denied" Error

According to technical analysis from Fortinet’s Support Forums and Reddit’s networking community, the error usually stems from one of four areas:

  1. User Latency: The user simply did not tap "Approve" on their smartphone quickly enough.
  2. Firewall Connectivity: The FortiGate unit cannot reach the FortiGuard distribution servers to validate the push notification.
  3. Port Blockage: Outbound traffic on Port 443 (HTTPS) or Port 53 (DNS) is restricted, preventing the FortiGate from communicating with push.fortinet.com.
  4. Token Synchronization: The time on the FortiGate or the user’s mobile device is out of sync, causing the time-based OTP (One-Time Password) to be rejected.

Step-by-Step Solutions to Fix Error 7105

1. Verify FortiGate Cloud Connectivity

The FortiGate must be able to talk to Fortinet's Push servers. If the firewall is behind another gateway, ensure that traffic is allowed.

  • Action: Run a debug command in the FortiGate CLI to check connectivity: execute ping push.fortinet.com
  • Requirement: Ensure the FortiGate can resolve this DNS name. If it cannot, the Push notification will never reach the user's phone.

2. Check the FTM Push Service Status

Sometimes the "Push" function is disabled or stuck. You can restart the process or verify the status via the CLI:

  • Command: diagnose fortitoken debug enable
  • Command: diagnose debug application fnbamd -1 (This tracks the "Fortinet Non-Blocking Authentication Daemon").

3. Adjust the Authentication Timeout

By default, the timeout for a VPN login may be too short for a user to find their phone and tap "Approve."

  • Solution: Increase the remote authentication timeout on the FortiGate: ``` config system global set remote-authtimeout 60 end

```

This gives the user 60 seconds to respond to the MFA prompt instead of the default 5–10 seconds.

4. Troubleshoot Port 443 and SSL Inspection

If you have "Deep Packet Inspection" enabled on the policy that allows the FortiGate to access the internet, it may be breaking the certificate chain for the FortiToken servers. Ensure that the FortiGate’s own management traffic is exempt from SSL inspection.

Technical Tip: When the Error Happens at 40% or 80%

In many user reports (including those on Experts-Exchange), the FortiClient progress bar often hangs at 40% before showing Error 7105.

  • 40% Mark: Usually indicates the transition from the primary credentials (username/password) to the secondary credentials (MFA). If it fails here, the problem is almost certainly the Token communication.

Summary for Administrators

If your users are frequently hitting Error 7105:

  1. Sync Time: Ensure NTP (Network Time Protocol) is enabled on both the FortiGate and the mobile devices.
  2. Validate Licenses: Ensure the FortiToken licenses have not expired.
  3. Provisioning: If only one user is affected, try deleting and re-provisioning their FortiToken Mobile via the "User & Authentication" menu.

Frequently Asked Questions (FAQ)

Q1: Why does it say "Token Denied" even when I tap "Approve"?

This usually happens due to a time mismatch. If your phone's clock is even 30 seconds off from the FortiGate’s clock, the token generated will be considered "expired" by the firewall. Ensure both are set to "Set Time Automatically."

Q2: Can I use the 6-digit code instead of the Push notification?

Yes. If the Push notification (Error 7105) continues to fail, you can manually type the 6-digit code displayed in your FortiToken app into the FortiClient prompt. This often bypasses "Push" connectivity issues.

Q3: Which ports need to be open for FortiToken Mobile?

The FortiGate needs outbound access to push.fortinet.com on Port 443. The mobile device needs internet access (Wi-Fi or Cellular) to receive the notification from Apple (APNs) or Google (FCM) servers.

Q4: Does Error 7105 mean my password is wrong?

No. Error 7105 occurs after your username and password have been accepted. It is strictly an issue with the second factor of authentication.

For further technical assistance, users are encouraged to consult the Fortinet Community Support Forums or contact their internal IT helpdesk to verify FortiGate-to-FortiGuard connectivity.