Unable to log in to ProxySG or Advanced Secure Gateway appliance through SSH

book

Article ID: 169321

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

When attempting an SSH connection to the ProxySG or Advanced Secure Gateway (ASG) appliances, you receive a message stating that no ciphers or HMACs are found. The wording of the message depends on the SSH client in use. The following are examples of what the message might look like:

Unable to negotiate with <IP_address> port 22: no matching cipher found. Their offer: <list>  
Unable to negotiate with <IP_address> port 22: no matching MAC found. Their offer: <list>
Couldn't agree a client-to-server cipher. available: 
Fatal error. No matching mac found: client <list> server

The issue is also recorded in the event log.

Cause

The ProxySG appliance's current cipher list or current HMACs list is empty due to one of the following reasons:

  • The appliance and the SSH client have no ciphers/HMACs in common. This usually occurs if an older client is attempting to connect to a newer version of SGOS, and may be more likely to occur if the appliance is running in FIPS mode. See Resolution 1 below.
  • You upgraded to SGOS 6.7.x or later, in which deprecated ciphers or HMACs are removed, and supported ciphers/HMACs were removed before the upgrade. For details on this behavior change, refer to the SGOS Upgrade/Downgrade WebGuide and the SGOS Release Notes for version 6.7.x. See Resolution 2 below.
  • All of the ciphers or HMACs were manually removed from the current list. Doing so would have resulted in the CLI warning you that SSH connections might fail. For example, removing the last cipher through the CLI or the Management Console displays the message, "WARNING: last cipher is being removed, SSH clients may not function properly after this removal". See Resolution 2 below.

Resolution

Resolution 1 - Update the SSH Client

If the appliance is running in FIPS mode, or if you determine that the SSH client is outdated, update the SSH client. Refer to the SSH client documentation if needed.

Resolution 2 - Add Supported Ciphers/HMACs

Log in to the Management Console to add at least one supported cipher or HMAC. You can also restore the default list.

To add ciphers:

  1. In the Management Console, select Configuration > Authentication > SSH Inbound Connections
  2. Click SSH Ciphers Inbound
  3. Select ciphers in the Available list to add specific ones, or click Revert to Default to restore the default list.
  4. Click Apply to save changes.


To add HMACs:

  1. In the Management Console, select Configuration > Authentication > SSH Inbound Connections
  2. Click SSH HMACs Inbound
  3. Select HMACs in the Available list to add specific ones, or click Revert to Default to restore the default list.
  4. Click Apply to save changes.