Backup to SFTP server fails in NSX for vSphere versions 6.3.5 through 6.4.x
Article ID: 339245
Updated On:
Products
VMware NSX for vSphere
Issue/Introduction
-
This article provides guidance with configuring an SFTP server to work with NSX backups.
-
In an NSX for vSphere 6.3.5 through 6.4.x environment, you experience these symptoms:
-
NSX Backup to SFTP Server fails
- Following error is reported in the NSX-V manager UI
-
unable to connect to server<Backup server>at 22. Either server details are invalid or invalid credentials are presented (permission denied).
-
- Checking the connectivity using specific MAC from the NSX manager to Backup server give the following error
-
#ssh -m hmac-sha2-256 -A <Backup server>Unable to negotiate with <Backup server> port 22: no matching MAC found. Their offer: hmac-sha2-512
-
-
Backup server logs may have the following error :
-
sshd[623341]: Connection from <NSX manager IP> port 59068 on <Backup server> port 22sshd[623341]: Unable to negotiate with <NSX manager IP> port 59068: no matching MAC found. Their offer: hmac-sha2-256,hmac-sha2-384 [preauth]
-
Environment
VMware NSX for vSphere
Cause
This issue occurs due to a Cipher/MAC algorithm configuration issue on the SFTP server.
Resolution
To resolve this issue, ensure to use the ciphers which are supported for SFTP backup in NSX 6.3.5 through 6.4.x
Supported ciphers in NSX-V:
Supported ciphers in NSX-V:
- Encryption: aes128-cbc, aes128-ctr, aes192-cbc, aes192-ctr, aes256-cbc, aes256-ctr
- Message Authentication(mac): hmac-sha2-256, hmac-sha2-384
- Key Exchanges: diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha384
- Compressions: none, zlib
To configure the sftp server CIPHER / MAC Algorithms:
- Edit the /etc/ssh/sshd_config file.
- sshd_config keywords Cipher and MACs need to be updated with the correct Cipher and MAC algorithms.
For example:
Ciphers aes128-cbc, aes128-ctr, aes192-cbc, aes192-ctr, aes256-cbc, aes256-ctr
MACs hmac-sha2-256, hmac-sha2-384
Feedback
Yes
No
Powered by
