OPERATIONAL DEFECT DATABASE
...
...
When a switch cannot find a common cipher with an incoming SSH client, the connection fails and the following syslog message is logged: %DAEMON-2-SYSTEM_MSG: fatal: no matching cipher found: client 3des-cbc,blowfish-cbc server aes128-ctr,aes192-ctr,aes256-ctr - sshd This message does not include the source IP address of client. This bug was opened to add the IP address of the SSH client that is failing to connect to the MDS switch so that the device running the SSH client can be found and the SSH client updated.
This issue occurs on any Cisco switch running affected NX-OS. SSH clients (including DCNM) fail to authenticate with switch because there are no common ciphers.
Run an ethanalyzer trace on the management interface to see source IP of failing SSH connection using the following switch CLI command: ethanalyzer local interface mgmt capture-filter "tcp port 22" If there is a lot of traffic you can also capture this to a file on bootflash:, retrieve it and look at it with Wireshark using the following command: ethanalyzer local interface mgmt capture-filter "tcp port 22" write bootflash:ssh.pcap
The IP address of the client has been added to the syslog message: %DAEMON-2-SYSTEM_MSG: fatal: No matching ciphers found. Client (192.168.1.2) supported ciphers: 3des-cbc,blowfish-cbc. Server supported ciphers: aes128-ctr,aes192-ctr,aes256-ctr - sshd
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
