Spectrum NCM cannot connect to devices and NCMSERV.OUT shows a key exchange error for security algorithms
search cancel

Spectrum NCM cannot connect to devices and NCMSERV.OUT shows a key exchange error for security algorithms

book

Article ID: 110197

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

We have started deploying new Juniper gear with a new standard configuration. NCM cannot connect to these switches. We have determined that the problem is due to the macs, ciphers, and keyexes specified in the config. When we remove them from the config, NCM works again. Here is the error in NCMSERV.OUT:

com.mindbright.ssh2.SSH2FatalException: Key exchange failed: No match in kex params 'mac-algorithms-cli2srv', our's: hmac-md5,hmac-sha1, peer's: hmac-sha2-256,hmac-sha2-512

at com.mindbright.ssh2.SSH2SimpleClient.init(SSH2SimpleClient.java:277)
at com.mindbright.ssh2.SSH2SimpleClient.init(SSH2SimpleClient.java:265)
at com.mindbright.ssh2.SSH2SimpleClient.(SSH2SimpleClient.java:79)
at com.mindbright.util.SshConnection.login(SshConnection.java:100)
at com.aprisma.spectrum.scmd.JunoScript.login(JunoScript.java:466)
at com.aprisma.spectrum.scmd.JunoScript.mindtermCapture(JunoScript.java:172)
at com.aprisma.spectrum.scmd.JunoScript.capture(JunoScript.java:44)
at com.aprisma.spectrum.scmd.ScmServiceImpl.captureRunningConfigImpl(ScmServiceImpl.java:398)
at com.aprisma.spectrum.scmd.ScmServiceImpl.captureRunningConfigRun(ScmServiceImpl.java:222)
at com.aprisma.spectrum.scmd.ScmServiceImpl.access$000(ScmServiceImpl.java:31)
at com.aprisma.spectrum.scmd.ScmServiceImpl$1.run(ScmServiceImpl.java:1919)
at java.lang.Thread.run(Thread.java:745)

Here is the offending configuration:

ssh { root-login deny; protocol-version v2; max-sessions-per-connection 32;
ciphers [ aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour256 blowfish-cbc ];
macs [ hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96 ];
key-exchange [ ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 group-exchange-sha2 dh-group14-sha1 ];
client-alive-count-max 4;
client-alive-interval 15;
rate-limit 10;


If the ssh library is changed from mindterm to jsch, then it will work. Is there any way to configure the ciphers, macs, and key exchanges that are used by the either ssh library?

Environment

Spectrum

Cause

The key-exchange is not supported

Resolution

Change the ssh library from mindterm to jsch per the instructions in the CA documentation:

Broadcom TechDocs : DX NetOps Spectrum 23.3 - NCM Support for SSH using Jsch libraries

Mindterm:

  • Supported Ciphers: AES (128, 192, 256), Blowfish, Twofish, Cast, 3DES, Arcfour (modes cbc, ctr and, for arcfour, ecb)

  • Key exchange support: Diffie-Hellman group-exchange protocol, Diffie-Hellman group1-sha1, Diffie-Hellman Elliptic Curve

  • Ability to generate key pairs for DSA, RSA and ECDSA

  • Supported macs: hmac-md5, hmac-sha1, hmac-sha1-96, hmac-md5-96, hmac-ripemd160 


JSCH

  • Cipher: blowfish-cbc,3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-ctr,arcfour,arcfour128,arcfour256

  • Key exchange: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

  • MAC: hmac-md5, hmac-sha1, hmac-md5-96, hmac-sha1-96

Additional Information

If you see a MindBright authentication failure in the NCMSERV.OUT file, change the library to JSCH.