Close this search box.

FGT execute ssh unable to negoitiate … no matching MAC found


Unable to connect to a device through ssh from FortiGate

FGT1 # execute ssh admin@
Unable to negotiate with no matching MAC found. Their offer: hmac-md5,hmac-sha1,hmac-ripemd160,,hmac-md5-96

Solution (allow INSECURE ciphers)

config system global
    set strong-crypto disable
    set ssh-mac-algo hmac-md5 hmac-md5-96 hmac-sha1 hmac-sha2-256 hmac-sha2-512 hmac-ripemd160
   set ssh-kex-algo diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521

After you’ve finished your work you should enable strong crypto and change settings back to default

config system global
    set strong-crypto enable
    unset ssh-mac-algo
    unset ssh-kex-algo

Further details

Your devices connected through Capwap e.g.: FortiAP or FortiSwitch might loose the connection to your FortiGate if you change the strong-crypto setting.

I would recommend to change these settings only for a short period of time, or to use another possibility to connect to the device (e.g.: SSLVPN / VIP)

Sometime you may try to access another device through ssh from the FortiGate and it fails because it uses insecure ciphers

Furhter details are very well documented in this KB Article: Technical Tip: ‘Unable to negotiate with x.x.x.x: … – Fortinet Community

I’ve tested these changes/settings with FOS 7.2.5, FOS 7.0.12