MINDTERM to ssh Firewall: Couldn't agree either on kex algorithm (our: 'ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-nistp521,diffie-hellman-group14-sha1', peer: 'diffie-hellman-group14-sha256') or host key algorithm (our: 'ssh-rsa', peer: 'ssh-rsa') 
search cancel

MINDTERM to ssh Firewall: Couldn't agree either on kex algorithm (our: 'ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-nistp521,diffie-hellman-group14-sha1', peer: 'diffie-hellman-group14-sha256') or host key algorithm (our: 'ssh-rsa', peer: 'ssh-rsa') 

book

Article ID: 262681

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Even upgraded from PAM 4.04 to version 4.1.2.01 but yet having the issue to SSH via MindTerm to Cisco Routers ASA that were upgraded from SHA-1 to SHA-2 but when trying to use PAM's SSH the session immediately generates this message and don't allow the connection.

Couldn't agree either on kex algorithm (our: 'ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-nistp521,diffie-hellman-group14-sha1', peer: 'diffie-hellman-group14-sha256') or host key algorithm (our: 'ssh-rsa', peer: 'ssh-rsa') 

Even adding Key Exchange diffie-hellman-group14-sha256 in PAM Cryptography forSSH Mindterm yet having the issue.

Environment

Release : 4.1.2

Cause

Looking in the logs noticed that sounds trying connection with TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and disconnected.

Resolution

The CISCO ASA Router is using Key Exchange diffie-hellman-group14-sha256.
Even having this Key Exchange available in PAM 4.1.2 in the specific use case it was still necessary to go to the Encryption configuration in Configuration -> Security -> Cryptography -> SSH Mindterm and put in front of all other Key Exchanges specifically the diffie-hellman-group14-sha256.