Spectrum NCM cannot connect to devices and NCMSERV.OUT shows key exchange error

book

Article ID: 110197

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

We have started deploying new Juniper gear with a new standard configuration. NCM cannot connect to these switches. We have determined that the problem is due to the macs, ciphers, and keyexes specified in the config. When we remove them from the config, NCM works again. Here is the error in NCMSERV.OUT:

com.mindbright.ssh2.SSH2FatalException: Key exchange failed: No match in kex params 'mac-algorithms-cli2srv', our's: hmac-md5,hmac-sha1, peer's: hmac-sha2-256,hmac-sha2-512

at com.mindbright.ssh2.SSH2SimpleClient.init(SSH2SimpleClient.java:277)
at com.mindbright.ssh2.SSH2SimpleClient.init(SSH2SimpleClient.java:265)
at com.mindbright.ssh2.SSH2SimpleClient.(SSH2SimpleClient.java:79)
at com.mindbright.util.SshConnection.login(SshConnection.java:100)
at com.aprisma.spectrum.scmd.JunoScript.login(JunoScript.java:466)
at com.aprisma.spectrum.scmd.JunoScript.mindtermCapture(JunoScript.java:172)
at com.aprisma.spectrum.scmd.JunoScript.capture(JunoScript.java:44)
at com.aprisma.spectrum.scmd.ScmServiceImpl.captureRunningConfigImpl(ScmServiceImpl.java:398)
at com.aprisma.spectrum.scmd.ScmServiceImpl.captureRunningConfigRun(ScmServiceImpl.java:222)
at com.aprisma.spectrum.scmd.ScmServiceImpl.access$000(ScmServiceImpl.java:31)
at com.aprisma.spectrum.scmd.ScmServiceImpl$1.run(ScmServiceImpl.java:1919)
at java.lang.Thread.run(Thread.java:745)

Here is the offending configuration:

ssh { root-login deny; protocol-version v2; max-sessions-per-connection 32;
ciphers [ aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour256 blowfish-cbc ];
macs [ hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96 ];
key-exchange [ ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 group-exchange-sha2 dh-group14-sha1 ];
client-alive-count-max 4;
client-alive-interval 15;
rate-limit 10;


If the ssh library is changed from mindterm to jsch, then it will work. Is there any way to configure the ciphers, macs, and key exchanges that are used by the either ssh library?

Cause

The key-exchange is not supported

Environment

Spectrum 10.x

Resolution

Change the ssh library from mindterm to jcsh per the instructions in the CA documentation:

Broadcom TechDocs : CA Spectrum 10.4 - NCM Support for SSH using Jsch libraries

Mindterm:
  • Supported Ciphers: AES (128, 192, 256), Blowfish, Twofish, Cast, 3DES, Arcfour (modes cbc, ctr and, for arcfour, ecb)

  • Key exchange support: Diffie-Hellman group-exchange protocol, Diffie-Hellman group1-sha1, Diffie-Hellman Elliptic Curve

  • Ability to generate key pairs for DSA, RSA and ECDSA

  • Supported macs: hmac-md5, hmac-sha1, hmac-sha1-96, hmac-md5-96, hmac-ripemd160 

JSCH
  • Cipher: blowfish-cbc,3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-ctr,arcfour,arcfour128,arcfour256

  • Key exchange: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

  • MAC: hmac-md5, hmac-sha1, hmac-md5-96, hmac-sha1-96