Solved: Re: Cisco 9300 - %SSH-3-NO_MATCH: No matching mac found on client

Chandhuru sekaran marimuthu · ‎10-19-2021

Hello Everyone,

We could see MAC not found on the Cisco 9300 switch. Also we noticed that this alert triggering everyday around 2:15 - 2:45 UTC. No other time seeing this alert. What would be the reason?

How to arrest this alert?

We have regenerated RSA but no luck.

cisco 9300(config)#crypto key generate rsa

% You already have RSA keys defined named cisco 9300.xx.com.

% Do you really want to replace them? [yes/no]: n

cisco 9300(config)#ncrypto key generate rsaend crypto key generate rsa

% You already have RSA keys defined named cisco 9300.xx.com.

% Do you really want to replace them? [yes/no]: y

Choose the size of the key modulus in the range of 512 to 4096 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take

a few minutes.

How many bits in the modulus [1024]: 2048

% Generating 2048 bit RSA keys, keys will be non-exportable...

[OK] (elapsed time was 0 seconds)

009977: *Oct 16 02:28:05.317 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
009978: *Oct 16 02:28:05.374 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
009980: *Oct 16 02:32:16.037 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
009981: *Oct 16 02:32:16.093 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010266: *Oct 17 02:12:39.506 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010267: *Oct 17 02:12:39.564 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010269: *Oct 17 02:16:56.868 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010270: *Oct 17 02:16:56.924 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010561: *Oct 18 02:27:45.392 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010562: *Oct 18 02:27:45.449 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010564: *Oct 18 02:31:55.176 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010565: *Oct 18 02:31:55.233 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010866: *Oct 19 02:28:01.585 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010867: *Oct 19 02:28:01.644 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010869: *Oct 19 02:32:12.233 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010870: *Oct 19 02:32:12.291 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512

Regards,

Chandhuru

Thanks and regards, Chandhuru.M

Chandhuru sekaran marimuthu · ‎12-01-2021

Hello Everyone,

For this issue, we identified that 9K switches are using high ciphers like 256 SHA2 and 512 for security reason.

Not allowed to access the switch with low Cipher like SHA1 or some low ciphers. Getting denied. So we getting this alerts.

Solution:

We need to ignore those alerts are identify the low cipher clients and ask them to use high ciphers. There is no fix from 9k Switch end since it is because of security reason.

Hope it helps. Please rate my solution.

Thanks and regards, Chandhuru.M

View solution in original post

marce1000 · ‎10-19-2021

- Seems like a remote ssh-client tries to connect with no matching ciphers, verify if this source is valid , if not block it.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Chandhuru sekaran marimuthu · ‎10-19-2021

Thanks for your reply Marce!!!

We couldnt see the source MAC. Anyway to find out it?

Thanks and regards, Chandhuru.M

Chandhuru sekaran marimuthu · ‎10-19-2021

Any update ???

Thanks and regards, Chandhuru.M

marce1000 · ‎10-19-2021

- You should block the offending ip-address of the incoming ssh-connection.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

thomas.zeller · ‎12-05-2022

I get that error when attempting to ssh to my new 9606 core(secondary) from the primary 6807-xl. So it's not as simple as blocking that IP, which is not a good solution.

Chandhuru sekaran marimuthu · ‎12-01-2021

Hello Everyone,

For this issue, we identified that 9K switches are using high ciphers like 256 SHA2 and 512 for security reason.

Not allowed to access the switch with low Cipher like SHA1 or some low ciphers. Getting denied. So we getting this alerts.

Solution:

We need to ignore those alerts are identify the low cipher clients and ask them to use high ciphers. There is no fix from 9k Switch end since it is because of security reason.

Hope it helps. Please rate my solution.

Thanks and regards, Chandhuru.M

pgasparovic · ‎01-17-2024

This is shame that even in 2024 Cisco on its SCM file server does not support newer/safer standards, so I just fail at SSHing to it from cEdge (IOS XE SDWAN) platforms by getting this:

Branch5-2#copy bootflash: scp: vrf Mgmt-intf
Source filename [/vmanage-admin/Branch5-2-20240117-231506-admin-tech.tar.gz]?
Address or name of remote host []? 173.37.151.76
Destination username [admin]? <my SR#>
Destination filename [Branch5-2-20240117-231506-admin-tech.tar.gz]?
Writing Branch5-2-20240117-231506-admin-tech.tar.gz
%Error writing scp://*@173.37.151.76/Branch5-2-20240117-231506-admin-tech.tar.gz (Undefined error)
Branch5-2#
Jan 17 23:07:31.593: scp_write_process : User Supplied port ()
Jan 17 23:07:31.593: scp_write_process : Connecting on port (22)
Jan 17 23:07:31.844: SSH CLIENT1: protocol version id is - SSH-2.0-SFTPPlus
Jan 17 23:07:31.844: SSH CLIENT1: protocol version exchange successful
Jan 17 23:07:31.845: %SSH-3-NO_MATCH: No matching mac found: client hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com server hmac-sha2-512,hmac-sha2-256,hmac-sha1
Jan 17 23:07:31.845: SSH CLIENT1: key exchange failure (code = 0)
Jan 17 23:07:31.845: SSH2 CLIENT 1: Failed to unqueue conn from list CONN 1 TTY 435
Jan 17 23:07:31.845: SSH CLIENT1: Session disconnected - error 0x00

BR

Peter

marinogr · ‎07-15-2024

I have had the same problem when upgrade on IOS XE 17.12.03

I have reconfigured ssh server algorithm and now it works:

Example:

ip ssh server algorithm mac hmac-sha2-256 hmac-sha2-512
ip ssh server algorithm encryption aes256-gcm aes256-cbc

It support:

(config)#ip ssh server algorithm encryption ?
3des-cbc Three-key 3DES in CBC mode
aes128-cbc AES with 128-bit key in CBC mode
aes128-ctr AES with 128-bit key in CTR mode
aes128-gcm AES with 128-bit key GCM mode
aes128-gcm@openssh.com AES with 128-bit key GCM openssh mode
aes192-cbc AES with 192-bit key in CBC mode
aes192-ctr AES with 192-bit key in CTR mode
aes256-cbc AES with 256-bit key in CBC mode
aes256-ctr AES with 256-bit key in CTR mode
aes256-gcm AES with 256-bit key GCM mode
aes256-gcm@openssh.com AES with 256-bit key GCM openssh mode
chacha20-poly1305@openssh.com chacha20 cipher with poly1305 mac

(config)#ip ssh server algorithm mac ?
hmac-sha1 HMAC-SHA1 (digest length = 160 bits,key length = 160 bits)
hmac-sha2-256 HMAC-SHA2-256 (digest length = 256 bits, key length = 256 bits)
hmac-sha2-256-etm@openssh.com HMAC-SHA2-256-ETM (digest length = 256 bits, key length = 256 bits)
hmac-sha2-512 HMAC-SHA2-512 (digest length = 512 bits, key length = 512 bits)
hmac-sha2-512-etm@openssh.com HMAC-SHA2-512-ETM (digest length = 512 bits, key length = 512 bits)

dhirajgrover · ‎08-08-2024

Thanks! That resolved my issue.