After Fortigate firmware upgrade NCM configuration capture fails
Article ID: 279546
Updated On:
Products
Issue/Introduction
We upgraded the firmware of a Fortigate device. Before the upgrade, the configuration capture was working fine. But after the upgrade, it fails with:
SPC-OCC-10747: Error capturing configuration for host:
SPC-OCC-11549: Capture failed.
Model: FortiGate 400F
Previous firmware version: 7.2.5
Current firmware version: 7.2.7
The NCM log ($SPECROOT\NCM\NCMSERV.OUT) shows the following error:
com.jcraft.jsch.JSchException: Algorithm negotiation fail
at com.jcraft.jsch.Session.receive_kexinit(Session.java:590)
at com.jcraft.jsch.Session.connect(Session.java:320)
at com.jcraft.jsch.Session.connect(Session.java:183)
at com.aprisma.spectrum.scmd.JschSSH.getSession(JschSSH.java:70)
at com.aprisma.spectrum.scmd.CustomSSH.jschCustomCapture(CustomSSH.java:82)
at com.aprisma.spectrum.scmd.CustomSSH.capture(CustomSSH.java:56)
at com.aprisma.spectrum.scmd.ScmServiceImpl.captureRunningConfigImpl(ScmServiceImpl.java:585)
at com.aprisma.spectrum.scmd.ScmServiceImpl.captureRunningConfigRun(ScmServiceImpl.java:355)
at com.aprisma.spectrum.scmd.ScmServiceImpl$1.run(ScmServiceImpl.java:4025)
at java.base/java.lang.Thread.run(Unknown Source)
Environment
Spectrum 22.2.9
Cause
Fortigate devices supported two host key algorithms (ssh-rsa and ssh-ed25519) earlier, but from firmware version v7.2.6 they are supporting only ssh-ed25519. Because of this, the configuration capture failed after the firmware upgrade.
Resolution
We are currently in the process of upgrading the jsch library in Spectrum to address this issue. The upgraded jsch library should be included in the upcoming Spectrum 23.3.7 release.
Feedback
