Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
miki_m
New Contributor II

Tell me about FortiManager's SSH issues.

I'm using Fortimanager v6.2.9-build1471.
I am having trouble with the following events.


Event 1
Execute "diagnose fgfm session-list" from FMG and execute SSH to the displayed tunnel IP, but login is not possible.
Event 2
I clicked "Connect to CLI via SSH" from FMG's WebGUI, but I couldn't log in.
Event 3
There were some devices that enabled SSH login with the following command.
However, SSH login is still not possible on many devices.

 exe fgfm reclaim-dev-tunnel <device_name> force


I guess it corresponds to the following items written in FortiManager 6.4.6 Release Notes.

BugID:667442
FortiManager may not be able to connect to FortiGate CLI via SSH widget or execute
TCL scripts.


Therefore, updating to FortiManager 6.4.6 may solve the problem, but due to circumstances, it cannot be updated immediately.
Please let me know if there is a way to connect via SSH other than updating.

1 Solution
skabbara
Staff
Staff

Hi @miki_m ,

 

Thanks for contacting us on the Community Forum.

If the devices show as online on the FortiManager, would it be possible to try this one of the following workarounds and let me know if works:

 

You could try to run an execute ssh on the FMG CLI, first you will need to retrieve the fgfm tunnel IP of the device using the command:

 

diagnose fgfm session-list <device-id>

 

To get device ID, run the command:

diag dvm device list <device-name>

 

Then:

execute ssh <fgfm-tunnel-ip-of-the-device> <fgt-username>

 

OR


In FMG CLI: "exec ssh-known-hosts remove-host x.x.x.x" allows to SSH in again when this occurs.

x.x.x.x needs to be the tunnel IP as well as the physical IP as it looks like the keys change on each fail over event.

This allows both the widget and exec SSH to function properly until next event

 

Please let me know how it goes.

Thanks,

Samer Kabbara

View solution in original post

3 REPLIES 3
Anonymous
Not applicable

Hello @miki_m ,
 
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
 
Thanks,
skabbara
Staff
Staff

Hi @miki_m ,

 

Thanks for contacting us on the Community Forum.

If the devices show as online on the FortiManager, would it be possible to try this one of the following workarounds and let me know if works:

 

You could try to run an execute ssh on the FMG CLI, first you will need to retrieve the fgfm tunnel IP of the device using the command:

 

diagnose fgfm session-list <device-id>

 

To get device ID, run the command:

diag dvm device list <device-name>

 

Then:

execute ssh <fgfm-tunnel-ip-of-the-device> <fgt-username>

 

OR


In FMG CLI: "exec ssh-known-hosts remove-host x.x.x.x" allows to SSH in again when this occurs.

x.x.x.x needs to be the tunnel IP as well as the physical IP as it looks like the keys change on each fail over event.

This allows both the widget and exec SSH to function properly until next event

 

Please let me know how it goes.

Thanks,

Samer Kabbara

miki_m
New Contributor II

Dear Samer Kabbara

 

Thank you for your reply.
As you pointed out, the following command worked.
"exec ssh-known-hosts remove-host x.x.x.x"

I am very happy to help you solve the problem.
Thank you very much.

Labels
Top Kudoed Authors