Solved: Re: Cisco 9300 - %SSH-3-NO_MATCH: No matching mac found on client

Chandhuru sekaran marimuthu · ‎10-19-2021

Hello Everyone,

We could see MAC not found on the Cisco 9300 switch. Also we noticed that this alert triggering everyday around 2:15 - 2:45 UTC. No other time seeing this alert. What would be the reason?

How to arrest this alert?

We have regenerated RSA but no luck.

cisco 9300(config)#crypto key generate rsa

% You already have RSA keys defined named cisco 9300.xx.com.

% Do you really want to replace them? [yes/no]: n

cisco 9300(config)#ncrypto key generate rsaend crypto key generate rsa

% You already have RSA keys defined named cisco 9300.xx.com.

% Do you really want to replace them? [yes/no]: y

Choose the size of the key modulus in the range of 512 to 4096 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take

a few minutes.

How many bits in the modulus [1024]: 2048

% Generating 2048 bit RSA keys, keys will be non-exportable...

[OK] (elapsed time was 0 seconds)

009977: *Oct 16 02:28:05.317 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
009978: *Oct 16 02:28:05.374 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
009980: *Oct 16 02:32:16.037 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
009981: *Oct 16 02:32:16.093 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010266: *Oct 17 02:12:39.506 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010267: *Oct 17 02:12:39.564 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010269: *Oct 17 02:16:56.868 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010270: *Oct 17 02:16:56.924 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010561: *Oct 18 02:27:45.392 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010562: *Oct 18 02:27:45.449 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010564: *Oct 18 02:31:55.176 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010565: *Oct 18 02:31:55.233 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010866: *Oct 19 02:28:01.585 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010867: *Oct 19 02:28:01.644 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010869: *Oct 19 02:32:12.233 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010870: *Oct 19 02:32:12.291 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512

Regards,

Chandhuru

Thanks and regards, Chandhuru.M

Chandhuru sekaran marimuthu · ‎12-01-2021

Hello Everyone,

For this issue, we identified that 9K switches are using high ciphers like 256 SHA2 and 512 for security reason.

Not allowed to access the switch with low Cipher like SHA1 or some low ciphers. Getting denied. So we getting this alerts.

Solution:

We need to ignore those alerts are identify the low cipher clients and ask them to use high ciphers. There is no fix from 9k Switch end since it is because of security reason.

Hope it helps. Please rate my solution.

Thanks and regards, Chandhuru.M

View solution in original post

marce1000 · ‎10-19-2021

- Seems like a remote ssh-client tries to connect with no matching ciphers, verify if this source is valid , if not block it.

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Chandhuru sekaran marimuthu · ‎10-19-2021

Thanks for your reply Marce!!!

We couldnt see the source MAC. Anyway to find out it?

Thanks and regards, Chandhuru.M

Chandhuru sekaran marimuthu · ‎10-19-2021

Any update ???

Thanks and regards, Chandhuru.M

marce1000 · ‎10-19-2021

- You should block the offending ip-address of the incoming ssh-connection.

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

thomas.zeller · ‎12-05-2022

I get that error when attempting to ssh to my new 9606 core(secondary) from the primary 6807-xl. So it's not as simple as blocking that IP, which is not a good solution.

Chandhuru sekaran marimuthu · ‎12-01-2021

Hello Everyone,

For this issue, we identified that 9K switches are using high ciphers like 256 SHA2 and 512 for security reason.

Not allowed to access the switch with low Cipher like SHA1 or some low ciphers. Getting denied. So we getting this alerts.

Solution:

We need to ignore those alerts are identify the low cipher clients and ask them to use high ciphers. There is no fix from 9k Switch end since it is because of security reason.

Hope it helps. Please rate my solution.

Thanks and regards, Chandhuru.M

pgasparovic · ‎01-17-2024

This is shame that even in 2024 Cisco on its SCM file server does not support newer/safer standards, so I just fail at SSHing to it from cEdge (IOS XE SDWAN) platforms by getting this:

Branch5-2#copy bootflash: scp: vrf Mgmt-intf
Source filename [/vmanage-admin/Branch5-2-20240117-231506-admin-tech.tar.gz]?
Address or name of remote host []? 173.37.151.76
Destination username [admin]? <my SR#>
Destination filename [Branch5-2-20240117-231506-admin-tech.tar.gz]?
Writing Branch5-2-20240117-231506-admin-tech.tar.gz
%Error writing scp://*@173.37.151.76/Branch5-2-20240117-231506-admin-tech.tar.gz (Undefined error)
Branch5-2#
Jan 17 23:07:31.593: scp_write_process : User Supplied port ()
Jan 17 23:07:31.593: scp_write_process : Connecting on port (22)
Jan 17 23:07:31.844: SSH CLIENT1: protocol version id is - SSH-2.0-SFTPPlus
Jan 17 23:07:31.844: SSH CLIENT1: protocol version exchange successful
Jan 17 23:07:31.845: %SSH-3-NO_MATCH: No matching mac found: client hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com server hmac-sha2-512,hmac-sha2-256,hmac-sha1
Jan 17 23:07:31.845: SSH CLIENT1: key exchange failure (code = 0)
Jan 17 23:07:31.845: SSH2 CLIENT 1: Failed to unqueue conn from list CONN 1 TTY 435
Jan 17 23:07:31.845: SSH CLIENT1: Session disconnected - error 0x00

BR

Peter