Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
tnesh
Staff
Staff

Created on ‎04-07-2023 02:38 AM Edited on ‎04-07-2023 04:40 AM By Community Manager

Article Id 251623

Troubleshooting Tip: Corrupted MAC on input error for SCP connection

Description This article describes how to troubleshoot the 'Corrupted MAC on input' error for the SCP connection.
Scope

- FortiManager/FortiAnalyzer.

- RHEL-OS (Red Hat Enterprise Linux) will be used for the SCP server as an example.
Solution

Getting 'Corrupted MAC' error message:

1) When facing the SCP connection issue, run the below debug command in CLI:

 

# diag debug reset

# diag debug application ssh 255

# diag debug enable

 

Establish SCP connection from FortiManager/FortiAnalyzer.

Example:

 

# exe fmupdate scp import license <type> <filename> <server> <port> <directory> <username> <password>

 

To disable debug output:

 

# diag debug disable

# diag debug reset

 

2) From the debug log, it shows the 'Corrupted MAC on input' error message:

 

mac-error.png

 

3) This happens when the SCP server is using incompatibility Ciphers/MACs settings.


4) From the debug log, it is possible to verify the Ciphers and MACs being used for the SCP connection. Look for 'server->client cipher' keywords.

 

cipher-mac-settings.png

 

Sample output (with error):

 

debug2:local client KEXINIT proposal <----- This is FortiManager / FortiAnalyzer proposal.
.
.
debug2:peer server KEXINIT proposal <----- This is SCP server proposal.
.
.
Below shows which kex used during the connection:
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: none

 

5) When only 'Ciphers' and no 'MACs' being configured in the SCP server, this lead to the SCP connection choosing 'MAC: umac-64-etm@openssh.com' and in-return getting 'Corrupted MAC on input' error 

 

Troubleshooting:

1) There are 3 ways to avoid getting a 'Corrupted MAC' error by making changes to the MACs and Ciphers settings in the SCP server.
For Linux environment, by default the config file is located at /etc/ssh/sshd_config

 

- Do not specify any MACs and Ciphers. Remove or comment out MACs and Ciphers configuration in sshd_config:

 

###Ciphers aes128-ctr,aes192-ctr,aes256-ctr

###MACs hmac-md5,hmac-sha1,hmac-ripemd160


- Only specify MACs in sshd_config:

 

###Ciphers aes128-ctr,aes192-ctr,aes256-ctr

MACs hmac-md5,hmac-sha1,hmac-ripemd160 <----- Avoid using umac-…


- Configure both MACs and Ciphers in sshd_config:

 

Ciphers aes128-ctr,aes192-ctr,aes256-ctr

MACs hmac-md5,hmac-sha1,hmac-ripemd160 <----- Avoid using umac-…

 

2) After making changes to the config file, restart the service in SCP server:


Example:

For RHEL # systemctl restart sshd

 

3) Establish the SCP connection again from FortiManager/FortiAnalyzer and verify the status from the debug log.
4452
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.