Ansible ASA Incompatible ssh peer (no acceptable kex algorithm)

Alex Nemeth — Wed, 25 Mar 2020 17:11:31 GMT

I am trying to run this playbook(see below) to get some show commands off of our ASA systems. We googled and search Stackoverflow and tried all the recommendations but no success. I run a raw command "ansible ASA -m -a "show vpn-session detail" -u rancid -k" it just hangs and I have to ctrl-c. We tried every possible upgrade to ansible, python, paramiko and no luck. We added cipher, kex ect to the sshd_config and no luck, I switched the connection: from local to network_cli and we cannot get this to run. IOS based stuff works fine with playbooks and raw mode.

[root@ohsyslog1 ~]# ansible-playbook asa-stats-vpn-rev1.yml -u anemeth -k

SSH password:

PLAY [Get_Stats] *************************************************************************************************************************

TASK [show_commands] *********************************************************************************************************************

fatal: [USCRL-AC1]: FAILED! => {"msg": "Incompatible ssh peer (no acceptable kex algorithm)"}

to retry, use: --limit @/root/asa-stats-vpn-rev1.retry

PLAY RECAP *******************************************************************************************************************************

USCRL-AC1 : ok=0 changed=0 unreachable=0 failed=1

[root@ohsyslog1 ~]# cat asa-stats-vpn-rev1.yml

---

- name: Get_Stats

hosts: USCRL-AC1

gather_facts: false

connection: local

tasks:

- name: show_commands

asa_command:

commands:

- show sh vpn-sessiondb detailed

- show cpu detail

- show memory

- show interface outside

- debug: var=print_output.stdout_lines

Re: Ansible ASA Incompatible ssh peer (no acceptable kex algorithm)

Claudia de Luna — Wed, 25 Mar 2020 21:56:24 GMT

Hi @Alex Nemeth,

I just tried the playbook you shared on an old ASA in my lab running 8.2 code and it worked. When I ssh to it I do have to provide the encryption method and cipher or I get the same error you note.

root@7ccc5784353b:/ansible_local# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes256-cbc cisco@10.1.10.27

Have you tried setting ssh_args in your ansible.cfg file?

[ssh_connection]
ssh_args = -o Cipers=+aes256-cbc

I did not have to do that, I could run the playbook successfully without the ssh_connection section (and with) but I'm trying to account for our different environments.

Here are the paramiko settings in my ansible.cfg file.

[paramiko_connection]
# http://docs.paramiko.org/en/2.4/api/client.html
# look_for_keys (bool) set to False to disable searching for discoverable private key files in ~/.ssh/
look_for_keys = False
# adds keys and saves them when connecting to a previously-unknown server <--Use with Caution!!!
host_key_auto_add = True
# This timer delay per command executed on remote host can be disabled by setting the value to zero
buffer_read_timeout = 2

Here is the playbook I tried:

root@7ccc5784353b:/ansible_local/cisco_ios# cat asa.yml
---

- name: Get_Stats

  hosts: asa
  gather_facts: false
  connection: local

  vars:
    playbook_name: "Query ASA"
    cli:
      host: "{{ inventory_hostname }}"
      username: "cisco"
      password: "cisco"
      authorize: yes
      auth_pass: "cisco"

  tasks:
    - name: show_commands
      asa_command:
        provider: "{{ cli }}"
        commands:
          -  show run
          -  show memory

      register:  print_output

    - debug: var=print_output.stdout_lines

Here is the output:

root@7ccc5784353b:/ansible_local/cisco_ios# ansible-playbook -i hosts asa.yml

PLAY [Get_Stats] ********************************************************************************************************************

TASK [show_commands] ****************************************************************************************************************
ok: [10.1.10.27]

TASK [debug] ************************************************************************************************************************
ok: [10.1.10.27] => {
    "print_output.stdout_lines": [
        [
            ": Saved",
            ":",
            "ASA Version 8.2(3) ",
            "!",
            "hostname ********asa",
            "enable password 2KFQ encrypted",
            "passwd 2KFQ encrypted",
            "names",
            "!",
            "interface Ethernet0/0",
            "!",
            "interface Ethernet0/1",
            " shutdown",
            "!",
            "interface Ethernet0/2",
            " shutdown",
            "!",
            "interface Ethernet0/3",
            " shutdown",
            "!",
            "interface Ethernet0/4",
            " shutdown",
            "!",
            "interface Ethernet0/5",
            " shutdown",
            "!",
            "interface Ethernet0/6",
            " shutdown",
            "!",
            "interface Ethernet0/7",
            " shutdown",
            "!",
            "interface Vlan1",
            " nameif inside",
            " security-level 100",
            " ip address dhcp ",
            "!",
            "ftp mode passive",
            "pager lines 24",
            "mtu inside 1500",
            "icmp unreachable rate-limit 1 burst-size 1",
            "no asdm history enable",
            "arp timeout 14400",
            "timeout xlate 3:00:00",
            "timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02",
            "timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00",
            "timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00",
            "timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute",
            "timeout tcp-proxy-reassembly 0:01:00",
            "dynamic-access-policy-record DfltAccessPolicy",
            "aaa authentication ssh console LOCAL ",
            "no snmp-server location",
            "no snmp-server contact",
            "snmp-server enable traps snmp authentication linkup linkdown coldstart",
            "crypto ipsec security-association lifetime seconds 28800",
            "crypto ipsec security-association lifetime kilobytes 4608000",
            "telnet timeout 5",
            "ssh 10.0.0.0 255.0.0.0 inside",
            "ssh timeout 5",
            "ssh version 2",
            "console timeout 0",
            "",
            "threat-detection basic-threat",
            "threat-detection statistics access-list",
            "no threat-detection statistics tcp-intercept",
            "username admin password f3UhLvUj1QsXsuK7 encrypted",
            "username ******** password 3USUcOPFUiMCO4Jk encrypted privilege 15",
            "!",
            "class-map inspection_default",
            " match default-inspection-traffic",
            "!",
            "!",
            "policy-map type inspect dns preset_dns_map",
            " parameters",
            "  message-length maximum client auto",
            "  message-length maximum 512",
            "policy-map global_policy",
            " class inspection_default",
            "  inspect dns preset_dns_map ",
            "  inspect ftp ",
            "  inspect h323 h225 ",
            "  inspect h323 ras ",
            "  inspect ip-options ",
            "  inspect netbios ",
            "  inspect rsh ",
            "  inspect rtsp ",
            "  inspect skinny  ",
            "  inspect esmtp ",
            "  inspect sqlnet ",
            "  inspect sunrpc ",
            "  inspect tftp ",
            "  inspect sip  ",
            "  inspect xdmcp ",
            "!",
            "service-policy global_policy global",
            "prompt hostname context ",
            "call-home",
            " profile CiscoTAC-1",
            "  no active",
            "  destination address http https://tools.********.com/its/service/oddce/services/DDCEService",
            "  destination address email callhome@********.com",
            "  destination transport-method http",
            "  subscribe-to-alert-group diagnostic",
            "  subscribe-to-alert-group environment",
            "  subscribe-to-alert-group inventory periodic monthly",
            "  subscribe-to-alert-group configuration periodic monthly",
            "  subscribe-to-alert-group telemetry periodic daily",
            "Cryptochecksum:b0498b77f1b5fafefff5e6c19e",
            ": end"
        ],
        [
            "Free memory:       124301632 bytes (46%)",
            "Used memory:       144133824 bytes (54%)",
            "-------------     ----------------",
            "Total memory:      268435456 bytes (100%)"
        ]
    ]
}

PLAY RECAP **************************************************************************************************************************
10.1.10.27                 : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

root@7ccc5784353b:/ansible_local/cisco_ios#

Re: Ansible ASA Incompatible ssh peer (no acceptable kex algorithm)

Alex Nemeth — Wed, 24 Jun 2020 00:29:37 GMT

Hi @Claudia de Luna

Thank you, it has been awhile since I was able to resume ansible. Let me try your parameters and I will post the results shortly when I get a free moment. The ASAs I am trying to connect to are 5545-X running 9.12(2) code.

topic Re: Ansible ASA Incompatible ssh peer (no acceptable kex algorithm) in Controllers

Ansible ASA Incompatible ssh peer (no acceptable kex algorithm)

Re: Ansible ASA Incompatible ssh peer (no acceptable kex algorithm)

Re: Ansible ASA Incompatible ssh peer (no acceptable kex algorithm)