cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1725
Views
0
Helpful
3
Replies

CLI Analyzer v 3.6.8 fails to connect to Cat8000v after upgrade

After upgrading the Cat8000V to ios XE version 17.11.1a, CLI Analyzer can no longer connect.

The console shows:

"No matching mac found"

Screenshot attached

fortvald
3 Replies 3

radrabik
Cisco Employee
Cisco Employee

Adding some content to this after a discussion with Flemming:

Error message received:

May 10 08:26:09.700: %SSH-3-NO_MATCH: No matching mac found: client hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha2-256-96,hmac-sha2-512-96,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com

From testing, we found that latest IOSes removed some old MAC algorithms therefore CLI analyzer doesn't connect anymore:

# IOS-XE 17.11.1a - KO

cube#show run all | inc ip ssh server algorithm mac
ip ssh server algorithm mac hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com

# IOS-XE 17.09.03a - OK

cube#show run all | inc ip ssh server algorithm mac
ip ssh server algorithm mac hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-sha2-256 hmac-sha2-512 hmac-sha1

 

Potential Workaround:

1) Add older versions of MAC algorithms back (might be UNSECURE and be aware of the risk)
ip ssh server algorithm mac hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-sha2-256 hmac-sha2-512

 

What about specifying the parameter?

 

 

ssh -m hmac-sha2-512-etm@openssh.com  -A <someTargetServerNameOrIP>

 

radrabik
Cisco Employee
Cisco Employee