Spectrum NCM SSH capture fails with "Algorithm negotiation fail"
search cancel

Spectrum NCM SSH capture fails with "Algorithm negotiation fail"

book

Article ID: 279634

calendar_today

Updated On: 06-28-2024

Products

Network Observability Spectrum

Issue/Introduction

We are trying to do NCM capture for a device family. Unfortunately we are not able to do SSH from Spectrum console.
But we are able to do SSH of device from NetOps Spectrum server.

In the NCM debug log when try to run the capture, the below error is getting displayed:

calling custom family jsch
CustomSSH jschcaptureconfig starting:
host: x.x.x.x
filename: / data/ Spectrum/NCM/cache/SCM_Ox231231
username :
password: xxxxxxxx
Exception occured : Algorithm negotiation fail
Session already closed
error status not equal to SUCESS
8523794
captureRunningConfigRun attempts down to: 0
in GRPC captureRunningconfig8523794

Environment

NetOps Spectrum up to 23.3.6

Cause

There is no match between SSH algorithms offered by Spectrum and the other device.

Up to and including 23.3.6 we use the jsch 0.1.55 offering the following :

ecdh-sha2-nistp256,
ecdh-sha2-nistp384,
ecdh-sha2-nistp521,
diffie-hellman-group14-sha1,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group-exchange-sha1,
diffie-hellman-group1-sha1

Resolution

  1. Upgrade to Spectrum 23.3.7 which uses jsch 0.2.16 and supports following:
    diffie-hellman-group14-sha224@ssh.com
    diffie-hellman-group14-sha256@ssh.com
    diffie-hellman-group15-sha256@ssh.com
    diffie-hellman-group15-sha384@ssh.com
    diffie-hellman-group16-sha384@ssh.com
    diffie-hellman-group16-sha512@ssh.com
    diffie-hellman-group18-sha512@ssh.com
    diffie-hellman-group-exchange-sha224@ssh.com
    diffie-hellman-group-exchange-sha384@ssh.com
    diffie-hellman-group-exchange-sha512@ssh.com
    hmac-sha224@ssh.com
    hmac-sha256@ssh.com
    hmac-sha256-2@ssh.com
    hmac-sha384@ssh.com
    hmac-sha512@ssh.com
    ssh-rsa-sha224@ssh.com
    ssh-rsa-sha256@ssh.com
    ssh-rsa-sha384@ssh.com
    ssh-rsa-sha512@ssh.com
    ref:
    https://github.com/mwiede/jsch/blob/master/ChangeLog.md


  2. Modify device side configuration to offer at least one of the algorithms supported by your Spectrum.

Additional Information

NetOps Spectrum 23.3.7 added some properties to the $SPECROOT/NCM/config.xml file to enable the latest jsch JAR (introduced in this release) to support the deprecated Ciphers and Key Exchange (KEX) for successful device capture
Refer to  Updated config.xml to Support Deprecated Ciphers and KEX

Powered by Wolken Software