I'm using Fortimanager v6.2.9-build1471.
I am having trouble with the following events.
Event 1
Execute "diagnose fgfm session-list" from FMG and execute SSH to the displayed tunnel IP, but login is not possible.
Event 2
I clicked "Connect to CLI via SSH" from FMG's WebGUI, but I couldn't log in.
Event 3
There were some devices that enabled SSH login with the following command.
However, SSH login is still not possible on many devices.
exe fgfm reclaim-dev-tunnel <device_name> force
I guess it corresponds to the following items written in FortiManager 6.4.6 Release Notes.
BugID:667442
FortiManager may not be able to connect to FortiGate CLI via SSH widget or execute
TCL scripts.
Therefore, updating to FortiManager 6.4.6 may solve the problem, but due to circumstances, it cannot be updated immediately.
Please let me know if there is a way to connect via SSH other than updating.
Solved! Go to Solution.
Hi @miki_m ,
Thanks for contacting us on the Community Forum.
If the devices show as online on the FortiManager, would it be possible to try this one of the following workarounds and let me know if works:
You could try to run an execute ssh on the FMG CLI, first you will need to retrieve the fgfm tunnel IP of the device using the command:
diagnose fgfm session-list <device-id>
To get device ID, run the command:
diag dvm device list <device-name>
Then:
execute ssh <fgfm-tunnel-ip-of-the-device> <fgt-username>
OR
In FMG CLI: "exec ssh-known-hosts remove-host x.x.x.x" allows to SSH in again when this occurs.
x.x.x.x needs to be the tunnel IP as well as the physical IP as it looks like the keys change on each fail over event.
This allows both the widget and exec SSH to function properly until next event
Please let me know how it goes.
Thanks,
Samer Kabbara
Created on 10-13-2022 11:05 AM
Hi @miki_m ,
Thanks for contacting us on the Community Forum.
If the devices show as online on the FortiManager, would it be possible to try this one of the following workarounds and let me know if works:
You could try to run an execute ssh on the FMG CLI, first you will need to retrieve the fgfm tunnel IP of the device using the command:
diagnose fgfm session-list <device-id>
To get device ID, run the command:
diag dvm device list <device-name>
Then:
execute ssh <fgfm-tunnel-ip-of-the-device> <fgt-username>
OR
In FMG CLI: "exec ssh-known-hosts remove-host x.x.x.x" allows to SSH in again when this occurs.
x.x.x.x needs to be the tunnel IP as well as the physical IP as it looks like the keys change on each fail over event.
This allows both the widget and exec SSH to function properly until next event
Please let me know how it goes.
Thanks,
Samer Kabbara
Dear Samer Kabbara
Thank you for your reply.
As you pointed out, the following command worked.
"exec ssh-known-hosts remove-host x.x.x.x"
I am very happy to help you solve the problem.
Thank you very much.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.