Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
ndumaj
Staff
Staff

Created on ‎07-10-2024 06:30 AM Edited on ‎10-16-2024 03:21 AM By Community Manager

Article Id 325154

Technical Tip: Unable to re-build FortiNAC High Availability 'WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!'

Description This article describes how to re-build FortiNAC High Availability after breaking the HA and a factory reset secondary FortiNAC HA node. The assumption is that the node is already factory reset for some reason, and the HA cannot rebuild. Steps 1+2 will show how this situation is created in the first place.
Scope FortiNAC-F v7.2.6, v7.4.1, v7.6.0 or greater.
Solution Steps to be followed:
  1. Break High Availability from GUI by clearing the VIP (if it is in place) and secondary Node Information:

    Break HA.png

 

  1. Factory reset Secondary Node (it will delete all settings and data on the node this is executed at):

 

execute factoryreset all-setting

 

  1. Rebuild the High Availability and the following error is displayed:


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:gUhJsXoJ4kOwa0H7O6VLygp0yh45o5nMMl85ZXPBp4o.
Please contact your system administrator.
Add correct host key in /home/root/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in /home/root/.ssh/known_hosts:6
Host key for 192.168.40.121 has changed and you have requested strict checking.
Host key verification failed.
SSH key verification failed from 192.168.40.120 to 192.168.40.121. Verify that the SSH key for 192.168.40.120 is configured on 192.168.40.121.

Solution:

 

On FortiNAC v7.2.6, v7.2.7:

 

execute ssh-known-hosts remove-host ha <secondary-NAC-IP>
execute ssh-known-hosts add ha admin <secondary-NAC-IP>
execute ssh-known-hosts show ha

On FortiNAC version 7.4.0 and above:

 

execute ssh-known-hosts show current-user <secondary-NAC-IP>

execute ssh-known-hosts remove-host current-user <secondary-NAC-IP>
305
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.