Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
Hatibi
Staff & Editor
Staff & Editor

Created on ‎10-15-2025 05:18 AM

Article Id 415172

Technical Tip: High Availability configuration failure due to host key change

Description This article describes how to solve issues where a server's SSH key fingerprint has changed and is preventing the High Availability configuration from being applied.
Scope FortiNAC-F v7.6 and greater.
Solution

When a FortiNAC secondary server has been redeployed or has generated new Host SSH keys, FortiNAC primary will still keep the previous fingerprint and report the following error:

 

High Availability Configuration FAILURE<br>17:44:29 08/05/2025   @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

17:44:29 08/05/2025   @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @

17:44:29 08/05/2025   @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

17:44:29 08/05/2025   IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

17:44:29 08/05/2025   Someone could be eavesdropping on you right now (man-in-the-middle attack)!

17:44:29 08/05/2025   It is also possible that a host key has just been changed.

17:44:29 08/05/2025   The fingerprint for the ED25519 key sent by the remote host is

17:44:29 08/05/2025   SHA256:XXXX/XXX/XXXXXX/XXXXX.

17:44:29 08/05/2025   Please contact your system administrator.

17:44:29 08/05/2025   Add correct host key in /home/root/.ssh/known_hosts to get rid of this message.

17:44:29 08/05/2025   Offending ED25519 key in /home/root/.ssh/known_hosts:9

17:44:29 08/05/2025   Host key for 10.10.10.5 has changed and you have requested strict checking.

17:44:29 08/05/2025   Host key verification failed.

17:44:29 08/05/2025   SSH key verification failed from 10.10.10.6 to 10.10.10.5. Verify that the SSH key for 10.10.10.6 is configured on 10.10.10.5.

 

A similar error will appear on the GUI when attempting to apply the HA config.

 

In this example, the secondary IP is 10.10.10.5.

First, identify the list of known keys in the Primary CLI:

 

naclab1  # execute ssh-known-hosts show ha

.

.

naclab2,naclab2.forti.lab,10.10.10.5 ssh-rsa XXXXXXX

naclab2,naclab2.forti.lab,10.10.10.5 ecdsa-sha2-nistp256 XXXXXXX

naclab2,naclab2.forti.lab,10.10.10.5 ssh-ed25519 XXXXXXX root@fortinac

 .

.

 

Remove the SSH known host entries for 10.10.10.5 (secondary) in the Primary CLI:

 

naclab1  # execute ssh-known-hosts remove-host ha 10.10.10.5

# Host 10.10.10.5 found: line 7

# Host 10.10.10.5 found: line 8

# Host 10.10.10.5 found: line 9

 

After this step, submit the HA configuration through the GUI to establish High Availability, and for the Primary to update the new SSH key fingerprint.

 

Related document:

High Availability (FortiNAC-OS)
75
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.