| Description | This article describes how to troubleshoot the 'Corrupted MAC on input' error for the SCP connection. |
| Scope |
- FortiManager/FortiAnalyzer. - RHEL-OS (Red Hat Enterprise Linux) will be used for the SCP server as an example. |
| Solution |
Getting 'Corrupted MAC' error message: 1) When facing the SCP connection issue, run the below debug command in CLI:
# diag debug reset # diag debug application ssh 255 # diag debug enable
Establish SCP connection from FortiManager/FortiAnalyzer. Example:
# exe fmupdate scp import license <type> <filename> <server> <port> <directory> <username> <password>
To disable debug output:
# diag debug disable # diag debug reset
2) From the debug log, it shows the 'Corrupted MAC on input' error message:
3) This happens when the SCP server is using incompatibility Ciphers/MACs settings.
Sample output (with error):
debug2:local client KEXINIT proposal <----- This is FortiManager / FortiAnalyzer proposal.
5) When only 'Ciphers' and no 'MACs' being configured in the SCP server, this lead to the SCP connection choosing 'MAC: umac-64-etm@openssh.com' and in-return getting 'Corrupted MAC on input' error
Troubleshooting: 1) There are 3 ways to avoid getting a 'Corrupted MAC' error by making changes to the MACs and Ciphers settings in the SCP server.
- Do not specify any MACs and Ciphers. Remove or comment out MACs and Ciphers configuration in sshd_config:
###Ciphers aes128-ctr,aes192-ctr,aes256-ctr ###MACs hmac-md5,hmac-sha1,hmac-ripemd160
###Ciphers aes128-ctr,aes192-ctr,aes256-ctr MACs hmac-md5,hmac-sha1,hmac-ripemd160 <----- Avoid using umac-…
Ciphers aes128-ctr,aes192-ctr,aes256-ctr MACs hmac-md5,hmac-sha1,hmac-ripemd160 <----- Avoid using umac-…
2) After making changes to the config file, restart the service in SCP server:
For RHEL # systemctl restart sshd
3) Establish the SCP connection again from FortiManager/FortiAnalyzer and verify the status from the debug log. |
