Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
xiaoj
Staff
Staff

Created on ‎09-17-2023 08:49 PM Edited on ‎03-03-2025 09:36 PM By Community Manager

Article Id 273990

Troubleshooting Tip: 'No matching key exchange found'

Description This article describes how to configure the SSH key exchange method to resolve an error stating no matching key exchange was found.
Scope FortiGate.
Solution

To diagnose SSH key exchange issues on FortiGate, use the following debug commands:

 

diagnose debug console timestamp enable
diagnose debug application sshd -1
diagnose debug enable

 

 

ssh.png

 

The following error will appear in the debug logs when there are compatibility issues between the SSH client and FortiGate:

2024-10-25 10:39:39 SSH: Forked child 22343.
2024-10-25 10:39:39 SSH: Client protocol version 2.0; client software version SecureBlackbox
2024-10-25 10:39:39 SSH: no match: SecureBlackbox
...
2024-10-25 10:39:39 SSH: expecting SSH2_MSG_NEWKEYS
2024-10-25 10:39:39 SSH: Connection closed by 10.104.252.56

Note:

  • no match: SecureBlackbox: Indicates that the SSH client (in this case, SecureBlackbox) is using unsupported key exchange or encryption algorithms.
  • Connection closed: The session is terminated because the key exchange negotiation failed.


Specify the key exchange algorithm in FortiGate to match the key exchange algorithm on the other side:

 

config system global
    set strong-crypto {enable | disable}
    set ssh-kex-algo <algo_1> [<algo_2> ... <algo_n>]
end

 

For v7.4.4 and later, the command has been moved from config system global to config system ssh-config:

 

sample.PNG

 

The algorithm options are different based on the strong encryption setting.

 

strong-crypto enabled, ssh-kex-algo could be:

  • diffie-hellman-group14-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512
  • diffie-hellman-group-exchange-sha256
  • curve25519-sha256@libssh.org
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521

 

strong-crypto disabled, ssh-kex-algo could be:

  • diffie-hellman-group14-sha1
  • diffie-hellman-group14-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512
  • diffie-hellman-group-exchange-sha1
  • diffie-hellman-group-exchange-sha256
  • curve25519-sha256@libssh.org
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521

 

Choose the proper SSH key exchange method. SSH from FortiGate to other devices should work.


Related article:
Troubleshooting Tip: SSH error 'No matching host key type found' without any offer.
Labels:
20798
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.