SFTP Polling Listener Connection Errors: "No Common Algorithms Available for Connection" and "No Matching Key Exchange Method Found"

Document ID : KB000008830
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

CA API Gateway ("Gateway") SSG logs will show entries similar to the example below:

SFTP polling listener 'Poll <Name> (#<GUID>,<version>)' connection error: No common algorithms available for connection

Often when looking at logs on the backend of the connection, log entries may be seen similar to the example below:

Unable to negotiate with <IP/Hostname> port <port#>: no matching key exchange method found. Their offer: <cipherSuite> [preauth]

Lastly, there may be symptoms of intermittent SFTP connection errors experienced, although it is less common in this scenario.

 

Environment:
A Gateway (any version) setup with SFTP connections and an SFTP Polling Listener.
Cause:

The error "No common algorithms available for connection" implies there is a part of the handshake which is failing, specifically with regards to agreeing on a cipher suite. The "no matching key exchange method found" further implies the key exchange part of the handshake failed to find common ground between the Gateway and backend server. This situation is typically caused by a lack of common security keys and cipher suites which are required for the environment.

Resolution:

This should be taken as an opportunity to recognize that there are some security incompatibilities in the environment that need to be resolved, and it may in fact be a bigger issue than first experienced, with possible similar issues found outside of the Gateway. With this knowledge, changes can be made on the clients to the backend to improve security to meet the requirements of the backend, or changes can be made on the backend to improve compatibilities with the clients. This ultimately depends on what the impact is, what the current security settings are, and if security is either considered to be too tight or too loose for the environment.

If changes are desired to be completed on the Gateway (client), the following changes are recommended to be made:

  1. Make the following changes/additions to /etc/ssh/sshd_config on the Gateway:
    1. KexAlgorithms diffie-hellman-group-exchange-sha256
    2. Ciphers aes256-ctr,aes192-ctr,aes128-ctr
    3. MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
  2. Restart the sshd service.

It should be understood that ultimately the key algorithms and ciphers need to have at least one overlapping with the backend. The above is an example of a strong set of ciphers and keys recommended by CA API Management and may not be the defaults on the Gateway depending on the version used. These ciphers and keys can always be used as a recommendation for backends too if they are currently using weaker encryption methods.

Additional Information: