Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
brigadax
New Contributor

CatTools Backup Problem with Fortigate 60D v5.2.5

Hello everybody,

 

I use CatTools for the automatic configuration backup for over fifty Fortigate 60D devices with the Firmware 5.2.2 and 5.2.4.

I used the Device.Backup.RunningConfig activity, which connects to the devices via ssh and everything worked fine.

 

However after upgrading most of the devices to Version v5.2.5,build0701 the backup doesn't work anymore. An upgrade to newest Version 5.4.0 also didn't help.

 

I compared the new and the old configuration and also looked for some clues in the Release Notes but couldn't find any reason for this behaviour.

 

CatTools always brings the "Failed to connect to 212.x.x.x. No Response from remote host. Will try again." error message.

 

I would be very grateful if somebody has an idea on how to solve this issue. If you need any additional Information, I will provide it as fast as possible.

 

Thanks in advance and best regards,

brigadax

1 Solution
duncan_read
New Contributor

We had this same problem and raised it with or suppliers and were told:

 

This issue is related with the default dh-param that is changed from 1024 to 2048.  But the FGT is still offering algorithm as "diffie-hellman-group-exchange-sha1" and "diffie-hellman-group1-sha1". When ssh client try to communicate with algorithm order "diffie-hellman-group-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1", FGT sends a TCP FIN. And the ssh connection can not be set up. This issue is expected to be resolved in 5.2.6 or 5.4.1.

 

and then

 

Fortinet have advised that there is no work around for this issue. A fix will come in 5.2.6, the ETA for 5.2.6 is between Jan 25, 2016 - Jan 29, 2016 and for 5.4.1 its Feb 15, 2016 - Feb 19, 2016. 

View solution in original post

14 REPLIES 14
duncan_read
New Contributor

We had this same problem and raised it with or suppliers and were told:

 

This issue is related with the default dh-param that is changed from 1024 to 2048.  But the FGT is still offering algorithm as "diffie-hellman-group-exchange-sha1" and "diffie-hellman-group1-sha1". When ssh client try to communicate with algorithm order "diffie-hellman-group-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1", FGT sends a TCP FIN. And the ssh connection can not be set up. This issue is expected to be resolved in 5.2.6 or 5.4.1.

 

and then

 

Fortinet have advised that there is no work around for this issue. A fix will come in 5.2.6, the ETA for 5.2.6 is between Jan 25, 2016 - Jan 29, 2016 and for 5.4.1 its Feb 15, 2016 - Feb 19, 2016. 

krdoor

The problem is not fixed in 5.2.6!

 

Last week we upgraded our FortiOS 5.2.5 FG1500D cluster, 3 days after we had to upgraded to 5.2.6, because of a continuously crashing IPS engine.

 

The ips engine crashing issue was fixed, but the backup issue remains.

 

Kristof

AlexRG
New Contributor

The issue is still present in 5.4.0. We cannot get SolarWinds' NCM product to connect when it negotiates with 'diffie-hellman-group1-sha1'.

sdlengua

Same problem in 5.2.7. Was about to open support ticket, but if the issue persists in 5.4....problem. I also use Cat-Tools to backup my Fortinets.  I did receive this response below from Solarwinds regarding a fix in heir next version of software. Is anyone running version 3.11 and can confirm a fix? 

 

Yes, version 3.11 is expected to support 2048 ssh encryption level. However, please take note that 3.11 is still on Release Candidate RC version. Please make some time to test it on your lab environment first and not on production. Please expect that the service release version will be available soon.

Mattbaldwin

We got a reply from the Engineering team as the kiwicat tools is not working due to kex_algorithms being used for negotiations. There may be an update of kiwicat tools that isn't using kex algorithm if you can upgrade to latest version.

 

Please choose ssh client that support diffie-hellman-group-exchange-sha1 in order to connect to 5.2.5-5.2.7.

 

In the meantime to backup config I have enabled SSHv1 and use that OK.

sdlengua

I tried SSHv1 and been unable to get it to work. I used the command below and even disabled set-strong crypto but still can't get CatTools to connect successfully. How did you get it to work?

 

set admin-ssh-v1 enable 

Mattbaldwin

I am using an old version of Kiwi CatTools, v3.4.0 (when it was still freeware).

 

I also followed this thread which updates the script used for Fortinet.FortiOS.General backups.

https://thwack.solarwinds.com/thread/25058

 

 

brigadax

Hello everybody,

 

we updated CaTTools to Version 3.11 and were able to succesfully backup the configuration

from several Fortigate 60d with the firmware versions 5.2.5, 5.2.7 and 5.4.0!

syu
New Contributor III

brigadax wrote:

Hello everybody,

 

we updated CaTTools to Version 3.11 and were able to succesfully backup the configuration

from several Fortigate 60d with the firmware versions 5.2.5, 5.2.7 and 5.4.0!

First, how did you get version 3.11 of Cattools? Their latest release is 3.10.

 

Second, did you have SSH-V1 enabled on your 60D units?

Top Kudoed Authors