Hello everybody,
I use CatTools for the automatic configuration backup for over fifty Fortigate 60D devices with the Firmware 5.2.2 and 5.2.4.
I used the Device.Backup.RunningConfig activity, which connects to the devices via ssh and everything worked fine.
However after upgrading most of the devices to Version v5.2.5,build0701 the backup doesn't work anymore. An upgrade to newest Version 5.4.0 also didn't help.
I compared the new and the old configuration and also looked for some clues in the Release Notes but couldn't find any reason for this behaviour.
CatTools always brings the "Failed to connect to 212.x.x.x. No Response from remote host. Will try again." error message.
I would be very grateful if somebody has an idea on how to solve this issue. If you need any additional Information, I will provide it as fast as possible.
Thanks in advance and best regards,
brigadax
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
We had this same problem and raised it with or suppliers and were told:
This issue is related with the default dh-param that is changed from 1024 to 2048. But the FGT is still offering algorithm as "diffie-hellman-group-exchange-sha1" and "diffie-hellman-group1-sha1". When ssh client try to communicate with algorithm order "diffie-hellman-group-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1", FGT sends a TCP FIN. And the ssh connection can not be set up. This issue is expected to be resolved in 5.2.6 or 5.4.1.
and then
Fortinet have advised that there is no work around for this issue. A fix will come in 5.2.6, the ETA for 5.2.6 is between Jan 25, 2016 - Jan 29, 2016 and for 5.4.1 its Feb 15, 2016 - Feb 19, 2016.
We had this same problem and raised it with or suppliers and were told:
This issue is related with the default dh-param that is changed from 1024 to 2048. But the FGT is still offering algorithm as "diffie-hellman-group-exchange-sha1" and "diffie-hellman-group1-sha1". When ssh client try to communicate with algorithm order "diffie-hellman-group-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1", FGT sends a TCP FIN. And the ssh connection can not be set up. This issue is expected to be resolved in 5.2.6 or 5.4.1.
and then
Fortinet have advised that there is no work around for this issue. A fix will come in 5.2.6, the ETA for 5.2.6 is between Jan 25, 2016 - Jan 29, 2016 and for 5.4.1 its Feb 15, 2016 - Feb 19, 2016.
The problem is not fixed in 5.2.6!
Last week we upgraded our FortiOS 5.2.5 FG1500D cluster, 3 days after we had to upgraded to 5.2.6, because of a continuously crashing IPS engine.
The ips engine crashing issue was fixed, but the backup issue remains.
Kristof
The issue is still present in 5.4.0. We cannot get SolarWinds' NCM product to connect when it negotiates with 'diffie-hellman-group1-sha1'.
Same problem in 5.2.7. Was about to open support ticket, but if the issue persists in 5.4....problem. I also use Cat-Tools to backup my Fortinets. I did receive this response below from Solarwinds regarding a fix in heir next version of software. Is anyone running version 3.11 and can confirm a fix?
Yes, version 3.11 is expected to support 2048 ssh encryption level. However, please take note that 3.11 is still on Release Candidate RC version. Please make some time to test it on your lab environment first and not on production. Please expect that the service release version will be available soon.
We got a reply from the Engineering team as the kiwicat tools is not working due to kex_algorithms being used for negotiations. There may be an update of kiwicat tools that isn't using kex algorithm if you can upgrade to latest version.
Please choose ssh client that support diffie-hellman-group-exchange-sha1 in order to connect to 5.2.5-5.2.7.
In the meantime to backup config I have enabled SSHv1 and use that OK.
I tried SSHv1 and been unable to get it to work. I used the command below and even disabled set-strong crypto but still can't get CatTools to connect successfully. How did you get it to work?
set admin-ssh-v1 enable
I am using an old version of Kiwi CatTools, v3.4.0 (when it was still freeware).
I also followed this thread which updates the script used for Fortinet.FortiOS.General backups.
https://thwack.solarwinds.com/thread/25058
Hello everybody,
we updated CaTTools to Version 3.11 and were able to succesfully backup the configuration
from several Fortigate 60d with the firmware versions 5.2.5, 5.2.7 and 5.4.0!
brigadax wrote:First, how did you get version 3.11 of Cattools? Their latest release is 3.10.Hello everybody,
we updated CaTTools to Version 3.11 and were able to succesfully backup the configuration
from several Fortigate 60d with the firmware versions 5.2.5, 5.2.7 and 5.4.0!
Second, did you have SSH-V1 enabled on your 60D units?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.