Spectrum NCM cannot connect to devices and NCMSERV.OUT shows a key exchange error for security algorithms
search cancel

Spectrum NCM cannot connect to devices and NCMSERV.OUT shows a key exchange error for security algorithms


Article ID: 110197


Updated On:


CA Spectrum DX NetOps


We have started deploying new Juniper gear with a new standard configuration. NCM cannot connect to these switches. We have determined that the problem is due to the macs, ciphers, and keyexes specified in the config. When we remove them from the config, NCM works again. Here is the error in NCMSERV.OUT:

com.mindbright.ssh2.SSH2FatalException: Key exchange failed: No match in kex params 'mac-algorithms-cli2srv', our's: hmac-md5,hmac-sha1, peer's: hmac-sha2-256,hmac-sha2-512

at com.mindbright.ssh2.SSH2SimpleClient.init(SSH2SimpleClient.java:277)
at com.mindbright.ssh2.SSH2SimpleClient.init(SSH2SimpleClient.java:265)
at com.mindbright.ssh2.SSH2SimpleClient.(SSH2SimpleClient.java:79)
at com.mindbright.util.SshConnection.login(SshConnection.java:100)
at com.aprisma.spectrum.scmd.JunoScript.login(JunoScript.java:466)
at com.aprisma.spectrum.scmd.JunoScript.mindtermCapture(JunoScript.java:172)
at com.aprisma.spectrum.scmd.JunoScript.capture(JunoScript.java:44)
at com.aprisma.spectrum.scmd.ScmServiceImpl.captureRunningConfigImpl(ScmServiceImpl.java:398)
at com.aprisma.spectrum.scmd.ScmServiceImpl.captureRunningConfigRun(ScmServiceImpl.java:222)
at com.aprisma.spectrum.scmd.ScmServiceImpl.access$000(ScmServiceImpl.java:31)
at com.aprisma.spectrum.scmd.ScmServiceImpl$1.run(ScmServiceImpl.java:1919)
at java.lang.Thread.run(Thread.java:745)

Here is the offending configuration:

ssh { root-login deny; protocol-version v2; max-sessions-per-connection 32;
ciphers [ aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour256 blowfish-cbc ];
macs [ hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96 ];
key-exchange [ ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 group-exchange-sha2 dh-group14-sha1 ];
client-alive-count-max 4;
client-alive-interval 15;
rate-limit 10;

If the ssh library is changed from mindterm to jsch, then it will work. Is there any way to configure the ciphers, macs, and key exchanges that are used by the either ssh library?




The key-exchange is not supported


Change the ssh library from mindterm to jsch per the instructions in the CA documentation:

Broadcom TechDocs : DX NetOps Spectrum 23.3 - NCM Support for SSH using Jsch libraries


  • Supported Ciphers: AES (128, 192, 256), Blowfish, Twofish, Cast, 3DES, Arcfour (modes cbc, ctr and, for arcfour, ecb)

  • Key exchange support: Diffie-Hellman group-exchange protocol, Diffie-Hellman group1-sha1, Diffie-Hellman Elliptic Curve

  • Ability to generate key pairs for DSA, RSA and ECDSA

  • Supported macs: hmac-md5, hmac-sha1, hmac-sha1-96, hmac-md5-96, hmac-ripemd160 


  • Cipher: blowfish-cbc,3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-ctr,arcfour,arcfour128,arcfour256

  • Key exchange: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

  • MAC: hmac-md5, hmac-sha1, hmac-md5-96, hmac-sha1-96

Additional Information

If you see a MindBright authentication failure in the NCMSERV.OUT file, change the library to JSCH.