04-18-2023 07:04 AM
After upgrading the Cat8000V to ios XE version 17.11.1a, CLI Analyzer can no longer connect.
The console shows:
"No matching mac found"
Screenshot attached
05-10-2023 01:33 AM
Adding some content to this after a discussion with Flemming:
Error message received:
May 10 08:26:09.700: %SSH-3-NO_MATCH: No matching mac found: client hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha2-256-96,hmac-sha2-512-96,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
From testing, we found that latest IOSes removed some old MAC algorithms therefore CLI analyzer doesn't connect anymore:
# IOS-XE 17.11.1a - KO
cube#show run all | inc ip ssh server algorithm mac
ip ssh server algorithm mac hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com
# IOS-XE 17.09.03a - OK
cube#show run all | inc ip ssh server algorithm mac
ip ssh server algorithm mac hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-sha2-256 hmac-sha2-512 hmac-sha1
Potential Workaround:
1) Add older versions of MAC algorithms back (might be UNSECURE and be aware of the risk)
ip ssh server algorithm mac hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-sha2-256 hmac-sha2-512
05-10-2023 05:31 AM
What about specifying the parameter?
ssh -m hmac-sha2-512-etm@openssh.com -A <someTargetServerNameOrIP>
05-11-2023 01:23 AM - edited 05-11-2023 01:24 AM
Version 3.7.0 is addressing this issue (released 10 May 2023):
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide