We have started deploying new Juniper gear with a new standard configuration. NCM cannot connect to these switches. We have determined that the problem is due to the macs, ciphers, and keyexes specified in the config. When we remove them from the config, NCM works again. Here is the error in NCMSERV.OUT:
com.mindbright.ssh2.SSH2FatalException: Key exchange failed: No match in kex params 'mac-algorithms-cli2srv', our's: hmac-md5,hmac-sha1, peer's: hmac-sha2-256,hmac-sha2-512
at com.mindbright.ssh2.SSH2SimpleClient.init(SSH2SimpleClient.java:277)
at com.mindbright.ssh2.SSH2SimpleClient.init(SSH2SimpleClient.java:265)
at com.mindbright.ssh2.SSH2SimpleClient.(SSH2SimpleClient.java:79)
at com.mindbright.util.SshConnection.login(SshConnection.java:100)
at com.aprisma.spectrum.scmd.JunoScript.login(JunoScript.java:466)
at com.aprisma.spectrum.scmd.JunoScript.mindtermCapture(JunoScript.java:172)
at com.aprisma.spectrum.scmd.JunoScript.capture(JunoScript.java:44)
at com.aprisma.spectrum.scmd.ScmServiceImpl.captureRunningConfigImpl(ScmServiceImpl.java:398)
at com.aprisma.spectrum.scmd.ScmServiceImpl.captureRunningConfigRun(ScmServiceImpl.java:222)
at com.aprisma.spectrum.scmd.ScmServiceImpl.access$000(ScmServiceImpl.java:31)
at com.aprisma.spectrum.scmd.ScmServiceImpl$1.run(ScmServiceImpl.java:1919)
at java.lang.Thread.run(Thread.java:745)
Here is the offending configuration:
ssh { root-login deny; protocol-version v2; max-sessions-per-connection 32;
ciphers [ aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour256 blowfish-cbc ];
macs [ hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96 ];
key-exchange [ ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 group-exchange-sha2 dh-group14-sha1 ];
client-alive-count-max 4;
client-alive-interval 15;
rate-limit 10;
If the ssh library is changed from mindterm to jsch, then it will work. Is there any way to configure the ciphers, macs, and key exchanges that are used by the either ssh library?
Spectrum
Change the ssh library from mindterm to jsch per the instructions in the CA documentation:
Broadcom TechDocs : DX NetOps Spectrum 23.3 - NCM Support for SSH using Jsch libraries
Mindterm:
JSCH:
If you see a MindBright authentication failure in the NCMSERV.OUT file, change the library to JSCH.