NCM cannot connect to devices and NCMSERV.OUT shows key exchange error

Document ID : KB000110197
Last Modified Date : 09/08/2018
Show Technical Document Details
Issue:
We have started deploying new Juniper gear with a new standard configuration. NCM cannot connect to these switches. We have determined that the problem is due to the macs, ciphers, and keyexes specified in the config. When we remove them from the config, NCM works again. Here is the error in NCMSERV.OUT: com.mindbright.ssh2.SSH2FatalException: Key exchange failed: No match in kex params 'mac-algorithms-cli2srv', our's: hmac-md5,hmac-sha1, peer's: hmac-sha2-256,hmac-sha2-512 at com.mindbright.ssh2.SSH2SimpleClient.init(SSH2SimpleClient.java:277) at com.mindbright.ssh2.SSH2SimpleClient.init(SSH2SimpleClient.java:265) at com.mindbright.ssh2.SSH2SimpleClient.(SSH2SimpleClient.java:79) at com.mindbright.util.SshConnection.login(SshConnection.java:100) at com.aprisma.spectrum.scmd.JunoScript.login(JunoScript.java:466) at com.aprisma.spectrum.scmd.JunoScript.mindtermCapture(JunoScript.java:172) at com.aprisma.spectrum.scmd.JunoScript.capture(JunoScript.java:44) at com.aprisma.spectrum.scmd.ScmServiceImpl.captureRunningConfigImpl(ScmServiceImpl.java:398) at com.aprisma.spectrum.scmd.ScmServiceImpl.captureRunningConfigRun(ScmServiceImpl.java:222) at com.aprisma.spectrum.scmd.ScmServiceImpl.access$000(ScmServiceImpl.java:31) at com.aprisma.spectrum.scmd.ScmServiceImpl$1.run(ScmServiceImpl.java:1919) at java.lang.Thread.run(Thread.java:745) Here is the offending configuration:
ssh { root-login deny; protocol-version v2; max-sessions-per-connection 32;
ciphers [ aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour256 blowfish-cbc ];
macs [ hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96 ];
key-exchange [ ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 group-exchange-sha2 dh-group14-sha1 ]; client-alive-count-max 4; client-alive-interval 15; rate-limit 10;


I can make it work by switching the ssh library from mindterm to jsch. Is there any way to configure the ciphers, macs, and key exchanges that are used by the either ssh library?
Cause:
The key-exchange is not supported
Resolution:
Change the ssh library from mindterm to jcsh per the instructions in the CA documentation:

https://docops.ca.com/ca-spectrum/10-2-3/en/managing-network/network-configuration-manager/network-configuration-manager-configurations/network-configuration-manager-extension-utility#NetworkConfigurationManagerExtensionUtility-NCMSupportforSSHusingJschlibraries


Mindterm:

* Supported Ciphers: AES (128, 192, 256), Blowfish, Twofish, Cast, 
3DES, Arcfour (modes cbc, ctr and, for arcfour, ecb) 
* Key exchange support: Diffie-Hellman group-exchange protocol, 
Diffie-Hellman group1-sha1, Diffie-Hellman Elliptic Curve 
* Ability to generate key pairs for DSA, RSA and ECDSA 
* Supported macs: hmac-md5, hmac-sha1, hmac-sha1-96, hmac-md5-96, 
hmac-ripemd160 

JSCH: 

* Cipher: blowfish-cbc,3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-ctr,arcfour,arcfour128,arcfour256 
* Key exchange: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 
* MAC: hmac-md5, hmac-sha1, hmac-md5-96, hmac-sha1-96