Troubleshooting Tip: Scheduled remote backup does not generate on SFTP server after FortiMail upgrade
| Description | This article describes an SFTP scheduled remote backup failure after FortiMail upgrade to v7.2.5, v7.4.2, and higher. |
| Scope | FortiMail v7.2.5, v7.4.2, and higher. |
| Solution | As of FortiMail v7.2.5GA and 7.4.2GA, 'ssh-rsa' is removed from the 'strong-crypto' list for sshd. If FortiMail and the SFTP server were using 'ssh-rsa' to establish an SSH tunnel, after upgrading FortiMail to v7.2.5GA and 7.4.2GA, the SFTP scheduled remote backup will fail.
As a workaround, disable the 'strong-crypto' option, which enables 'ssh-rsa':
config global set strong-crypto disable end
Enabling 'strong-crypto' can disable some Key Exchange Algorithms (KexAlgorithms), potentially causing SFTP connection failures. Capture a PCAP file to verify the keys exchanged between the SSH/SFTP client and server
===== SSH1 ====== # prepare a packet sniffer: diagnose sniffer packet any "x.x.x.x" 6 0 a # <----- x.x.x.x is the address of the sftp server.
===== SSH2 ====== # trigger a remote backup: execute backup full-config scp data/backup/fortimail/FML_SN/test_fml.conf x.x.x.x username password"
Use the captured PCAP file to identify the Key Exchange Algorithm negotiated by the client, and add it to the SFTP server’s list of supported KexAlgorithms. |