Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bmduncan33
New Contributor II

Cannot ssh from FortiGate to Managed Switch

Hello.  My FortiGates manages a bunch of FortiSwitches.  My gates runs 7.0.5 and my switches are at 7.0.4.  At one time I could right-click on a managed switch in FortiOS UI and choose Connect to cli, and a fresh ssh session would open.  Now I get percent_expand: unknown key %H.  I know I read about this problem in a release note somewhere and the fix was also listed.  I can't find that article again for some reason.  Has anyone else seen this and do you know the fix or can you send me the reference?  Thanks!

6 REPLIES 6
gfleming
Staff
Staff

Does this happen when you try connecting to CLI of all your switches or just one?

 

What happens if you right-click and select "Diagnostics & Tools" and then click the CLI Access tab? Same error?

Cheers,
Graham
bmduncan33
New Contributor II

Hello.  Its happening to all switches.  If I follow your directions and click the CLI Access Tab I get the same result percent_expand: unknown key %H.  Also, some switches in the UI show Diagnostics & Tools greyed out. 

 

Ever heard of this before?

gfleming

I have not seen this before, no. Have you opened a ticket with TAC?

Cheers,
Graham
bmduncan33
New Contributor II

Working with TAC.  No solution yet.  

bmduncan33
New Contributor II

Solved by TAC.  When I upgraded to 7.0.5 on my gates, or maybe on an earlier upgrade, the following config got set:

 

config switch-controller global
set fips-enforce enable

 

Well FIPS can cause all sorts of issues and often breaks stuff.  We set that to disabled, and while it took a little time to take effect, I no longer see that cryptic error.  Whew!

bmduncan33

Spoke too soon.  While it appeared this was fixed, the problem returned the next day.  Even with FIPS disabled!  It's not a browser cache issue or anything like that.  I've opened a fresh TAC case and referenced the last ticket.  I'll bet this will have to go to development to investigate.  So weird.