Hi Val and the_rock thanks for you reply but i am still facing the same issue, attaching snap from both cli and Gaia, 

please look and let me know what am i missing also i have gone through mention SK but it didn't help.

I see now it matches, but still an issue. I would confirm with TAC.

Andy

Thanks, will be looking forward for your response.

BR

Asif

One other thing you can try is also maybe remove that config and try again, but if that fails, I would open support case and confirm what could be the reason for the failure.

Andy

I have already tried that, but still it is not working and showing same error.

BR

Asif

Hey Asif, good morning again. So if thats the case, then I would certainly open TAC case and see if they can verify.

https://help.checkpoint.com

Andy

Hi Andy, thanks for sharing the link but unfortunately i do not have subscription for checkpoint also i am trying this in my lab and hence i have reached out on this community to see if someone have faced similar error earlier.

Anyways thanks for all your help.

BR 

Asif

We are not sadly allowed, as per community policies, to paste content of the sk, so you would have to see if someone you know may have access to the article @_Val_ pointed to, I believe it would help.

Andy

I have already followed the SK but i think something is missing in what i am doing and that i am not able to figure it out.

BR

Asif

Just to make sure Im not missing anything, is it the case where you delete this config, then when you try it again, it fails at exact same step?

Andy

Yes!

BR

Asif

Ok, fair enough. Im tagging @Ilya_Yusupov , I have all the confidence in the world he can help you fix this problem.

Andy

Thank you @the_rock  🙂

@Asifoxy  - i replicated it in my lab but i'm not sure its a bug 

in my lab i see that for my known host i have 3 options for the fingerprint, when i choose "ecdsa-sha2-nistp256" it worked but if i choose same as in your attachment i will get same results 

the fingerprint options - if i choose the first one it works but if i choose last one it will not work, based on the SK looks like we support only SHA256, i suggest to open a TAC ticket in case you see this as an issue.

[Expert@ilya29000-2:0]# ssh-keyscan 10.15.255.131 | ssh-keygen -lf -
# 10.15.255.131:22 SSH-2.0-OpenSSH_7.8
# 10.15.255.131:22 SSH-2.0-OpenSSH_7.8
# 10.15.255.131:22 SSH-2.0-OpenSSH_7.8
256 SHA256:QTmIeCF6wc+6UFpbaT8bDM5Jtd/DOkr1h7eRAoh3kmM 10.15.255.131 (ECDSA)
2048 SHA256:K8VKLJsuzkpmqGV0DPif4MVQMefi3Sy2PwuV3v8ECls 10.15.255.131 (RSA)
256 SHA256:Ap8u/SvBfrGCNVMk76JqO+bbvb6lMQYj2bTNwXwYWao 10.15.255.131 (ED25519)

Good:

ilya29000-2> add ssh hba ipv4-address 10.15.255.131 public-key access-mode online fingerprint QTmIeCF6wc+6UFpbaT8bDM5Jtd/DOkr1h7eRAoh3kmM

Bad:

ilya29000-2> add ssh hba ipv4-address 10.15.255.131 public-key access-mode online fingerprint Ap8u/SvBfrGCNVMk76JqO+bbvb6lMQYj2bTNwXwYWao
NMHOST9999 Fingerprint does not match remote public key

Thanks @Ilya_Yusupov for taking time and testing it out in your lab, as i mention earlier currently i am on learning path and does not have support to checkpoint services, still i will updated the JHF in my lab and will let you guys know if it helps or not.

BR

Asif

Hey @Asifoxy 

I also tested what @Ilya_Yusupov did in his lab and result was the same.

Andy