Backup to SFTP server fails in NSX for vSphere versions 6.3.5 through 6.4.x
search cancel

Backup to SFTP server fails in NSX for vSphere versions 6.3.5 through 6.4.x

book

Article ID: 339245

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

This article provides guidance with configuring an SFTP server to work with NSX backups.

Symptoms:
In an NSX for vSphere 6.3.5  through 6.4.x environment, you experience these symptoms:
  • NSX Backup to SFTP Server fails
  • You see the error:

    unable to connect to server x.x.x.x at 22. Either server details are invalid or invalid credentials are presented (permission denied).


Environment

VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.4.x

Cause

This issue occurs due to a Cipher/MAC algorithm configuration issue on the SFTP server.
 
sftp server sshd in debug mode (sshd -ddd) reflects:

Connection from x.x.x.x port 45768 on x.x.x.x port 22
debug1: Client protocol version 2.0; client software version JSCAPE-2.0
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1


Error on MAC Algorithm:
 
no matching mac found: client hmac-sha2-256, hmac-sha2-384 server hmac-sha1 [preauth].

Resolution

To resolve this issue, ensure to use the ciphers which are supported for SFTP backup in NSX 6.3.5  through 6.4.x

Supported ciphers:

Encryption: aes128-cbc, aes128-ctr, aes192-cbc, aes192-ctr, aes256-cbc, aes256-ctr
Message Authentication(mac): hmac-sha2-256, hmac-sha2-384
Key Exchanges: diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha384
Compressions: none, zlib



To configure the sftp server CIPHER / MAC Algorithms:
  1. Edit the /etc/ssh/sshd_config file.
  2. sshd_config keywords Cipher and MACs need to be updated with the correct Cipher and MAC algorithms.

    For example:

    Ciphers aes128-cbc, aes128-ctr, aes192-cbc, aes192-ctr, aes256-cbc, aes256-ctr
    MACs hmac-sha2-256, hmac-sha2-384