Sometimes, a peer device like a Switch or a Router is unable to SSH to the FortiGate after upgrading the firmware to 7.0.x or higher when the previous version was 6.4.x.

The error on the peer device is as follows:

%SSH-3-NO_MATCH: No matching kex algorithm found: client diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 server diffie-hellman-group-exchange-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

Analyzing the above error makes the following split evident:

• client: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
• server: diffie-hellman-group-exchange-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

In this example, FortiGate is the server. In this case, the kex algorithm evidently does not match between the client and the server.

This occurs because strong encryption is enabled on the FortiGate side after an upgrade, which disables SHA1.

To resolve this issue, follow the steps below.

On the FortiGate.

Run the following configuration:

config system global

set strong-crypto disable

end

After completing the above, enable SHA1.

The following configuration will match the client key:

config system global

set ssh-kex-algo diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1

end

This is necessary because the switch or router is providing the key with SHA1 and FortiGate, after the upgrade, has disabled the usage of SHA1.

To fix this, either change the SSH Key settings on the peer side to a strong one or enable SHA1 in FortiGate.

Using strong encryption is recommended and should be configured carefully.