With iPhones, the usage count can be shown on the phone by a sustained touch on the token pass-code. The usage count recorded in Defender can be seen in the token details in the Defender tab for the user device. It is labelled 'Sync Counter'. The counter on the device is not allowed to be lower than the counter in Defender. It is a protection against old pass-codes being used/reused.
In addition to the above, below are additional known reasons why a time based token like 3DES could fail.
1. Wrong time zone on phone (so wrong UTC time)
2. Wrong time zone on one DSS
3. Incorrect time on phone (more than 10 minutes out)
4. Multiple tokens on phone and using wrong one (I did this myself in testing by mistake)
5. Usage counter on phone lower than on DSS (token previously used on another phone)