Re: CLI Analyzer v 3.6.8 fails to connect to Cat8000v after upgrade

Flemming Ortvald · ‎04-18-2023

After upgrading the Cat8000V to ios XE version 17.11.1a, CLI Analyzer can no longer connect.

The console shows:

"No matching mac found"

Screenshot attached

fortvald

radrabik · ‎05-10-2023

Adding some content to this after a discussion with Flemming:

Error message received:

May 10 08:26:09.700: %SSH-3-NO_MATCH: No matching mac found: client hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha2-256-96,hmac-sha2-512-96,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com

From testing, we found that latest IOSes removed some old MAC algorithms therefore CLI analyzer doesn't connect anymore:

# IOS-XE 17.11.1a - KO

cube#show run all | inc ip ssh server algorithm mac
ip ssh server algorithm mac hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com

# IOS-XE 17.09.03a - OK

cube#show run all | inc ip ssh server algorithm mac
ip ssh server algorithm mac hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-sha2-256 hmac-sha2-512 hmac-sha1

Potential Workaround:

1) Add older versions of MAC algorithms back (might be UNSECURE and be aware of the risk)
ip ssh server algorithm mac hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-sha2-256 hmac-sha2-512

Flavio Miranda · ‎05-10-2023

What about specifying the parameter?

ssh -m hmac-sha2-512-etm@openssh.com  -A <someTargetServerNameOrIP>

radrabik · ‎05-11-2023

Version 3.7.0 is addressing this issue (released 10 May 2023):

https://software.cisco.com/download/home/286311499/type/286312309/os/Windows%2010%20(x64)/release/3.7.0