Not able to take NSX backup using HostKeyAlgorithm "ecdsa-sha2-nistp384" or "ecdsa-sha2-nistp521"
Article ID: 402080
Updated On:
Products
Issue/Introduction
On taking an NSX backup before or after NSX Upgrade, you see the error:
"Possible FIPS violation during a backup: Error negotiating with remote host: Unable to negotiate with <hostname> port 22: no matching host key type found. Their offer: <ecdsa-sha2-nistp384 (and/or) ecdsa-sha2-nistp521> (Error code: 29206)"
2###-##-##T##:##:##.###Z <hostname> NSX ##### - [nsx@6876 comp="nsx-manager" subcomp="node-mgmt" username="root" level="ERROR" errorCode="NOD110"] REPEATS: 1 repeats in # sec: Cluster backup file copy operation failed due to 400 Bad Request#015#012Content-Type: application/json#015#012Content-Length: 254#015#012Vmw-Task-Id: ########-####-####-####-########_#######-####-####-####-#############015#012#015#012{"error_code": 36209, "error_message": "Error negotiating with remote host: Unable to negotiate with <hostname> port 22: no matching host key type found. Their offer: <ecdsa-sha2-nistp384 (and/or) ecdsa-sha2-nistp521>", "module_name": "node-services"}
Example:
Environment
VMware NSX 4.2.0
VMware NSX 4.2.1
Cause
This is a known issue introduced in NSX 4.2.0, where HostKeyAlgorithms ecdsa-sha2-nistp384 and ecdsa-sha2-nistp521 no longer work (but they are supported).
Resolution
This issue is resolved in NSX 4.2.2.
Workaround:
Create hostKeyAlgorithm "ecdsa-sha2-nistp256" on the SFTP server (contact your backup server vendor for exact commands):
# ssh-keygen -t ecdsa -b 256 -f /etc/ssh/ssh_host_ecdsa_key
Then attempt to trigger backup again.
Additional Information
This issue is also resolved in NSX 9.0.0.
See also: VMware NSX "Backup" to SFTP server fails with FIPS violation.
Feedback
