Description | This article describes how to troubleshoot the 'Corrupted MAC on input' error for the SCP connection. |
Scope |
- FortiManager/FortiAnalyzer. - RHEL-OS (Red Hat Enterprise Linux) will be used for the SCP server as an example. |
Solution |
Getting 'Corrupted MAC' error message: 1) When facing the SCP connection issue, run the below debug command in CLI:
# diag debug reset # diag debug application ssh 255 # diag debug enable
Establish SCP connection from FortiManager/FortiAnalyzer. Example:
# exe fmupdate scp import license <type> <filename> <server> <port> <directory> <username> <password>
To disable debug output:
# diag debug disable # diag debug reset
2) From the debug log, it shows the 'Corrupted MAC on input' error message:
3) This happens when the SCP server is using incompatibility Ciphers/MACs settings.
Sample output (with error):
debug2:local client KEXINIT proposal <----- This is FortiManager / FortiAnalyzer proposal.
5) When only 'Ciphers' and no 'MACs' being configured in the SCP server, this lead to the SCP connection choosing 'MAC: umac-64-etm@openssh.com' and in-return getting 'Corrupted MAC on input' error
Troubleshooting: 1) There are 3 ways to avoid getting a 'Corrupted MAC' error by making changes to the MACs and Ciphers settings in the SCP server.
- Do not specify any MACs and Ciphers. Remove or comment out MACs and Ciphers configuration in sshd_config:
###Ciphers aes128-ctr,aes192-ctr,aes256-ctr ###MACs hmac-md5,hmac-sha1,hmac-ripemd160
###Ciphers aes128-ctr,aes192-ctr,aes256-ctr MACs hmac-md5,hmac-sha1,hmac-ripemd160 <----- Avoid using umac-…
Ciphers aes128-ctr,aes192-ctr,aes256-ctr MACs hmac-md5,hmac-sha1,hmac-ripemd160 <----- Avoid using umac-…
2) After making changes to the config file, restart the service in SCP server:
For RHEL # systemctl restart sshd
3) Establish the SCP connection again from FortiManager/FortiAnalyzer and verify the status from the debug log. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.