Spectrum fails to capture config using ssh connection on Cisco devices running 17.6.5 ios and older
search cancel

Spectrum fails to capture config using ssh connection on Cisco devices running 17.6.5 ios and older

book

Article ID: 230819

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

We have discovered a problem with connecting to a new Cisco catalyst L3 devices from the Spectrum OneClick console. Normally we can right-click on the device and open a secure shell connection to it. However we have found that the connection to the new new device is closed after failing authentication.

We can see from the log on the device that the ssh connection failed to negotiate a common SSH2 MAC algorithm for the connection. This newer device only allows hmac-sha2-256, hmac-sha2-512, [email protected] and [email protected].

Is there a way to add these newer, more secure MAC algorithms into spectrum, to allow this connection?

Will a later version of Spectrum have a different range of SSH MACs?

Cause

Cisco devices running older IOS versions, like 17.6.5 utilize hmac-sha2-512 hmac-sha2-256 while devices running 17.12.3 use encryption aes256-ctr aes256-gcm aes192-ctr aes128-gcm aes128-ctr

Resolution

 

Add the updated ciphers to the ssh_config 

1. From a bash prompt, navigate to /etc/

on windows  -- C:\win32app\Spectrum\NT-Tools\SRE\etc\ssh_config
on linux - /etc/ssh_config


2. vi /etc/ssh_config file
3. Add the MAC's in MAC line (if commented (#), uncomment it). 

4.  Update the config on the device to have the encryption:

ip ssh server algorithm mac hmac-sha2-512 hmac-sha2-256

ip ssh server algorithm encryption aes256-ctr aes256-gcm aes192-ctr aes128-gcm aes128-ctr

 

If using jsch, upgrade to NetOps Spectrum 22.2.7 or greater as the jcsh library was updated to support hmac-sha2

Additional Information

With regards to the use of sha1 by NCM:

From the logs, the server is replying saying they support a strong algorithm like hmac-sha2-256,hmac-sha2-512, we are using only hmac-sha1. The reason for this is the jsch library that we are using only supports hmac-sha1 and hmac-sha1-96. Presently, the jsch version that we are using is 1.54. Fortunately, jsch added support for hmac-sha2-256 in version 1.55.  

Spectrum has upgraded jsch to 1.55 as part of Spectrum 22.2.7 so this issue will no longer occur from release 22.2.7 onwards.

To troubleshoot the SSH handshake. 
 
 From the SpectroServer bash prompt, try to connect to the device using the below command in debug mode. 
          ssh -vvv <username>@<problematic IP>
This will print the connection handshaking debug state which gives the exact idea why it is failing.