10-19-2021 08:03 AM - edited 10-19-2021 09:25 AM
Hello Everyone,
We could see MAC not found on the Cisco 9300 switch. Also we noticed that this alert triggering everyday around 2:15 - 2:45 UTC. No other time seeing this alert. What would be the reason?
How to arrest this alert?
We have regenerated RSA but no luck.
cisco 9300(config)#crypto key generate rsa
% You already have RSA keys defined named cisco 9300.xx.com.
% Do you really want to replace them? [yes/no]: n
cisco 9300(config)#ncrypto key generate rsaend crypto key generate rsa
% You already have RSA keys defined named cisco 9300.xx.com.
% Do you really want to replace them? [yes/no]: y
Choose the size of the key modulus in the range of 512 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [1024]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)
009977: *Oct 16 02:28:05.317 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
009978: *Oct 16 02:28:05.374 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
009980: *Oct 16 02:32:16.037 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
009981: *Oct 16 02:32:16.093 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010266: *Oct 17 02:12:39.506 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010267: *Oct 17 02:12:39.564 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010269: *Oct 17 02:16:56.868 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010270: *Oct 17 02:16:56.924 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010561: *Oct 18 02:27:45.392 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010562: *Oct 18 02:27:45.449 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010564: *Oct 18 02:31:55.176 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010565: *Oct 18 02:31:55.233 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010866: *Oct 19 02:28:01.585 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010867: *Oct 19 02:28:01.644 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010869: *Oct 19 02:32:12.233 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
010870: *Oct 19 02:32:12.291 UTC: %SSH-3-NO_MATCH: No matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160 server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
Regards,
Chandhuru
Solved! Go to Solution.
12-01-2021 09:48 AM
Hello Everyone,
For this issue, we identified that 9K switches are using high ciphers like 256 SHA2 and 512 for security reason.
Not allowed to access the switch with low Cipher like SHA1 or some low ciphers. Getting denied. So we getting this alerts.
Solution:
We need to ignore those alerts are identify the low cipher clients and ask them to use high ciphers. There is no fix from 9k Switch end since it is because of security reason.
Hope it helps. Please rate my solution.
10-19-2021 10:08 AM
- Seems like a remote ssh-client tries to connect with no matching ciphers, verify if this source is valid , if not block it.
M.
10-19-2021 10:18 AM
Thanks for your reply Marce!!!
We couldnt see the source MAC. Anyway to find out it?
10-19-2021 10:38 PM
Any update ???
10-19-2021 11:05 PM
- You should block the offending ip-address of the incoming ssh-connection.
M.
12-05-2022 09:41 AM
I get that error when attempting to ssh to my new 9606 core(secondary) from the primary 6807-xl. So it's not as simple as blocking that IP, which is not a good solution.
12-01-2021 09:48 AM
Hello Everyone,
For this issue, we identified that 9K switches are using high ciphers like 256 SHA2 and 512 for security reason.
Not allowed to access the switch with low Cipher like SHA1 or some low ciphers. Getting denied. So we getting this alerts.
Solution:
We need to ignore those alerts are identify the low cipher clients and ask them to use high ciphers. There is no fix from 9k Switch end since it is because of security reason.
Hope it helps. Please rate my solution.
09-26-2024 10:07 PM
Hi @Chandhuru sekaran marimuthu
I encountered same issue on my C9500 with version 17.12.03 but did Cisco have document for these release issue. If ever, you have link of documents coming from cisco?
Thank you
01-17-2024 03:27 PM
This is shame that even in 2024 Cisco on its SCM file server does not support newer/safer standards, so I just fail at SSHing to it from cEdge (IOS XE SDWAN) platforms by getting this:
Branch5-2#copy bootflash: scp: vrf Mgmt-intf
Source filename [/vmanage-admin/Branch5-2-20240117-231506-admin-tech.tar.gz]?
Address or name of remote host []? 173.37.151.76
Destination username [admin]? <my SR#>
Destination filename [Branch5-2-20240117-231506-admin-tech.tar.gz]?
Writing Branch5-2-20240117-231506-admin-tech.tar.gz
%Error writing scp://*@173.37.151.76/Branch5-2-20240117-231506-admin-tech.tar.gz (Undefined error)
Branch5-2#
Jan 17 23:07:31.593: scp_write_process : User Supplied port ()
Jan 17 23:07:31.593: scp_write_process : Connecting on port (22)
Jan 17 23:07:31.844: SSH CLIENT1: protocol version id is - SSH-2.0-SFTPPlus
Jan 17 23:07:31.844: SSH CLIENT1: protocol version exchange successful
Jan 17 23:07:31.845: %SSH-3-NO_MATCH: No matching mac found: client hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com server hmac-sha2-512,hmac-sha2-256,hmac-sha1
Jan 17 23:07:31.845: SSH CLIENT1: key exchange failure (code = 0)
Jan 17 23:07:31.845: SSH2 CLIENT 1: Failed to unqueue conn from list CONN 1 TTY 435
Jan 17 23:07:31.845: SSH CLIENT1: Session disconnected - error 0x00
BR
Peter
07-15-2024 01:17 PM
I have had the same problem when upgrade on IOS XE 17.12.03
I have reconfigured ssh server algorithm and now it works:
Example:
ip ssh server algorithm mac hmac-sha2-256 hmac-sha2-512
ip ssh server algorithm encryption aes256-gcm aes256-cbc
It support:
(config)#ip ssh server algorithm encryption ?
3des-cbc Three-key 3DES in CBC mode
aes128-cbc AES with 128-bit key in CBC mode
aes128-ctr AES with 128-bit key in CTR mode
aes128-gcm AES with 128-bit key GCM mode
aes128-gcm@openssh.com AES with 128-bit key GCM openssh mode
aes192-cbc AES with 192-bit key in CBC mode
aes192-ctr AES with 192-bit key in CTR mode
aes256-cbc AES with 256-bit key in CBC mode
aes256-ctr AES with 256-bit key in CTR mode
aes256-gcm AES with 256-bit key GCM mode
aes256-gcm@openssh.com AES with 256-bit key GCM openssh mode
chacha20-poly1305@openssh.com chacha20 cipher with poly1305 mac
(config)#ip ssh server algorithm mac ?
hmac-sha1 HMAC-SHA1 (digest length = 160 bits,key length = 160 bits)
hmac-sha2-256 HMAC-SHA2-256 (digest length = 256 bits, key length = 256 bits)
hmac-sha2-256-etm@openssh.com HMAC-SHA2-256-ETM (digest length = 256 bits, key length = 256 bits)
hmac-sha2-512 HMAC-SHA2-512 (digest length = 512 bits, key length = 512 bits)
hmac-sha2-512-etm@openssh.com HMAC-SHA2-512-ETM (digest length = 512 bits, key length = 512 bits)
08-08-2024 07:13 AM
Thanks! That resolved my issue.
02-20-2025 06:35 AM
Thanks for the fix.
We use a Model C9200L-24P-4G with Prime.
I added: ip ssh server algorithm mac hmac-sha1 ...
09-27-2024 01:29 AM
Hello
@Chandhuru sekaran marimuthu wrote:
We need to ignore those alerts are identify the low cipher clients and ask them to use high ciphers.
You can ignore them but I envisage they will be annoying - you can negate those message with a simple log discriminator
Example:
logging discriminator SSH msg-body drops "%SSH-3-NO_MATCH: No matching mac found:"
logging buffered discriminator SSH 7
logging console discriminator SSH 7
logging monitor discriminator SSH 7
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide