Old ciphers not restored in CA PAM 3.3.1 or 3.3.2 after hotfix 01
search cancel

Old ciphers not restored in CA PAM 3.3.1 or 3.3.2 after hotfix 01


Article ID: 187865


Updated On:


CA Privileged Access Manager (PAM)


Hotfix 01 has been applied to CA PAM 3.3.1 or 3.3.2 ( or respectively) to manage old Cisco devices with no support for newer ciphers.

The instructions in the hotfix readme were followed:

  •  Clear the java caches (if connecting through the browser), or
  •  Restart the CA PAM Client and clear the client cache (if using this means to connect to CA PAM)

However, whenever trying to connect they  the following error is still present 

Couldn't agree on kex algorithm (our: 'ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistpEven256,diffie-hellman-group-exchange-sha256', peer: 'diffie-hellman-group14-sha1')

It need not be exactly this one, but another implying there is still a mismatch in ciphers/kex algorithms supported by PAM and the remote device


CA PAM 3.3.1 and 3.3.2


Even though clearing the java cache or the CA PAM Client cache should suffice, sometimes this is not enough and the CA PAM client needs to be reinstalled


  • Uninstall the client from the Control Panel (or delete it accordingly if working in Mac or Linux) and make sure it is completely uninstalled
  • Install it back by connecting to CA PAM using the browser and downloading it in the initial screen.