Version 9.4.3 and above: To prevent an SSH communication failure due to this scenario, the MultiKnownHostEntries attribute can be enabled. FortiNAC's known_hosts cache is checked for all potential matches of the VIP and determines which entry to use. This is done on a per-device model basis.

This function is also detailed under Model Configuration in the Administration Guide.

FortiNAC-OS: Addressed in versions F 7.2.7, F 7.4.1 & F 7.6.0

See Configure SSH Keys for VIP in the Admin Guide  

Procedure (CentOS Only):

1. Log in to the FortiNAC CLI as root.
2. Add the IP address of a device that could potentially own the VIP to the known host's cache. Enter the following:
   
   ssh root@<IP address>

When prompted to continue connecting, enter yes.
The resulting SSH key is written to /root/.ssh/known_hosts file.

3. Press Ctrl-C to end the SSH session.
4. Display the keys. Enter the following:
   
   cat /root/.ssh/known_hosts | grep <IP address>
   
   
5. Copy the key.
6. Modify /bsc/.ssh/known_hosts.

• Paste the key on a separate line.
• Change the IP address to the VIP.
• Save the file.
  
  

7. Confirm the change by entering the following command:
   
   cat /bsc/.ssh/known_hosts | grep <VIP address>
   
   /bsc/.ssh/known_hosts should now have two entries for the VIP with 2 different keys:

• 1 entry is the VIP which is modeled in FortiNAC as a full device model SSH key.
• 1 entry is the pingable model.
  
  

7. Repeat steps 2-6 for each device that could potentially own the VIP.

8. Enable the MultiKnownHostEntries attribute for the VIP. Enter the following:
   
   device -ip <VIP address> -setAttr -name MultiKnownHostEntries -value true
   

For example:

device -ip 10.20.20.3 -setAttr -name MultiKnownHostEntries -value true