Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BingleHopper
New Contributor III

Created on ‎05-24-2023 11:15 PM Edited on ‎02-26-2024 06:39 AM By Community Manager

Fortiswitch Upgrade to 7.2.4 Causing SSH issues with SolarWinds

This is a FortiSwitch 248E-FPOE. I have replicated the issue with another switch.  The switches were on 7.2.1 and I tried to upgrade one to 7.2.4.  After I noticed the issue, I upgraded another to 7.2.3 with no issue, and then to 7.2.4 where the issue was there again. 

I can ssh to the device using putty, but SolarWinds cannot anymore (I believe solarwinds ncm uses 'We only do' ssh client). SolarWinds gives an error about not being able to negotiate encryption.

 

On the switch's logs I see that the negotiation failed due to 'no matching MAC found. Their offer: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5-none'.

I have 'Strong Cyphers' enabled on the switch, but it was previously enabled on 7.2.1 and 7.2.3 (and I'd prefer to keep it on).  I disabled 'Strong Cyphers' just to test and was met with a different log along the lines of 'no matching host key type found. Their offer: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss'.

 

Did the defaults change with this update or maybe this could be a bug?  If so, is there any way to manually set the cypher on a standalone switch? 

 

Solarwinds is on the 2022.4.1 version, which is not quite the latest, but one of the latest. 

 

Finally, I traced a ssh session through putty just to see what cypher was being agreed upon (remember, putty was working, but not solarwinds.  This is what I got:20230524_173412~2.jpg

Labels:
7431
1 Solution
BingleHopper
New Contributor III

Created on ‎09-12-2023 11:53 AM Edited on ‎09-12-2023 11:55 AM

As per a ticket, this is a bug set to be fixed in the 7.4.1 release.  A current work around is to just disable strong-crypto and then reboot or kill the ssh process.

The ticket was resolved a while ago, but since I already logged in, I see no reason to not mark this as a solution.

View solution in original post

6984
8 REPLIES 8
AEK
SuperUser
SuperUser

Created on ‎05-25-2023 02:28 AM

Probably 7.2.4 dropped some old cypher methods.

I'd suggest to update SolarWinds, or just update or tune its ssh client and libs if possible.

 

AEK
AEK
7416
BingleHopper
New Contributor III
In response to AEK

Created on ‎05-27-2023 06:47 PM Edited on ‎05-27-2023 06:48 PM

The problem is that according to this link the cyphers do not change from 2022.4.1 to any of the newer versions.  Kind of wondering if anyone else had the problem or if maybe the fortinet does support the cyphers solarwinds is offering and there is some bug?

 

Thank you though.

7378
0 Kudos
sfrati
Staff
Staff

Created on ‎07-04-2023 05:38 AM

Not sure my answer is really related to your challenge, but be aware that SHA-1 is deprecated and not authorized by default in 7.4.0+
Since 7.4, FOS has been using OpenSSL 3.0, for which X509 certificates signed using SHA1, for instance, are no longer allowed at security level 1 (default level) and above. There is a workaround for that but this will lower the security level to 0.

7229
BingleHopper
New Contributor III

Created on ‎09-12-2023 11:53 AM Edited on ‎09-12-2023 11:55 AM

As per a ticket, this is a bug set to be fixed in the 7.4.1 release.  A current work around is to just disable strong-crypto and then reboot or kill the ssh process.

The ticket was resolved a while ago, but since I already logged in, I see no reason to not mark this as a solution.

6985
DiamondDave
New Contributor
In response to BingleHopper

Created on ‎11-07-2023 12:45 PM

This work-around does not work.  Will need to do a release update for 7.2.6 to resolve this.

set strong-crypto disable
then reboot

Does not allow ssh from Solarwinds Npm.  Same issue with keys.

6419
0 Kudos
mle2802
Staff
Staff
In response to DiamondDave

Created on ‎11-07-2023 01:55 PM

Hi @DiamondDave,

Not sure with FortiSwitch but on FortiGate, there is similar issue after upgrading to 7.2.6, SSH key file corrupted and need to re-generate the key. Do the pcap and see if the key list is empty from server. If that the case, try "execute ssh-regen-keys" to re-generate the key file.

 

6410
DiamondDave
New Contributor
In response to mle2802

Created on ‎05-17-2024 09:12 AM

Actually, Solar winds came out with an update that seem to have fixed the issue.

3993
0 Kudos
webbyhead
New Contributor

Created on ‎05-17-2024 03:23 AM

Hello

Do you have a Solarwinds Device Template that you can share for this Fortinet Switch and firmware version?

4021
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.