Not able to take NSX backup using HostKeyAlgorithm "ecdsa-sha2-nistp384" or "ecdsa-sha2-nistp521"
search cancel

Not able to take NSX backup using HostKeyAlgorithm "ecdsa-sha2-nistp384" or "ecdsa-sha2-nistp521"

book

Article ID: 402080

calendar_today

Updated On: 06-24-2025

Products

VMware NSX

Issue/Introduction

On taking an NSX backup, you see the error:

"Possible FIPS violation during a backup: Error negotiating with remote host: Unable to negotiate with <hostname> port 22: no matching host key type found. Their offer: <ecdsa-sha2-nistp384 (and/or) ecdsa-sha2-nistp521> (Error code: 29206)"

Example:

Environment

VMware NSX 4.2.0
VMware NSX 4.2.1

Cause

This is a known issue introduced in NSX 4.2.0, where HostKeyAlgorithms ecdsa-sha2-nistp384 and ecdsa-sha2-nistp521 no longer work (but they are supported).

Resolution

This issue is resolved in NSX 4.2.2.

Workaround: 
Create hostKeyAlgorithm "ecdsa-sha2-nistp256" on the SFTP server (contact your backup server vendor for exact commands):

# ssh-keygen -t ecdsa -b 256 -f /etc/ssh/ssh_host_ecdsa_key

Then attempt to trigger backup again.

Additional Information

This issue is also resolved in NSX 9.0.0.

See also: VMware NSX "Backup" to SFTP server fails with FIPS violation.