ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Control Compliance Suite 11: Solaris 11 agent-less data collection fails: Couldn't agree a client-to-server cipher


Article ID: 157018


Updated On:


Control Compliance Suite Exchange Control Compliance Suite Unix Control Compliance Suite Windows


Targeting a Agent-less Solaris v11 x64 asset - an error shows for the data collection: Couldn't agree a client-to-server cipher.

Note:  agent and agent-less data collection from Oracle Solaris 11 assets is supported by the latest Symantec Control Compliance Suite 11 and 10.5.1 versions.


{Date Time},Unix Data Collector: query returned with message(s).,"{SOLARIS11_ASSET_HOST_NAME.EN_US}: Couldn't agree a client-to-server cipher (available: aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour)",Error,{SOLARIS11_ASSET_HOST_NAME.EN_US}:{IP_ADDRESS.EN_US},UNIX Machine,,



The ssh handshake attempt between CCS and the Solaris 11 system fails to agree on a cipher.

By default Solaris 11 only supports the following ciphers: aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour.

CCS requires 3des-cbc.



The current workaround is to add the "3des-cbc" to the list of accepted ciphers in the Solaris 11 sshd configuration file.


Step 1. Add the following line in /etc/ssh/sshd_config (We are adding 3des-cbc to the default ciphers)

    Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour,3des-cbc

Step 2. Restart the sshd daemon on Solaris system.

    svcadm restart ssh

At this point the CCS agent-less data collection will work.


Applies To

Symantec Control Compliance Suite 10.5.1

Symantec Control Compliance Suite 11 GA

Oracle Solaris 11 (both X64 and SPARC)