Symptom
When a switch cannot find a common cipher with an incoming SSH client, the connection fails and the following syslog message is logged:
%DAEMON-2-SYSTEM_MSG: fatal: no matching cipher found: client 3des-cbc,blowfish-cbc server aes128-ctr,aes192-ctr,aes256-ctr - sshd
This message does not include the source IP address of client.
This bug was opened to add the IP address of the SSH client that is failing to connect to the MDS switch so that the device running the SSH client can be found and the SSH client updated.
Conditions
This issue occurs on any Cisco switch running affected NX-OS. SSH clients (including DCNM) fail to authenticate with switch because there are no common ciphers.
Workaround
Run an ethanalyzer trace on the management interface to see source IP of failing SSH connection using the following switch CLI command:
ethanalyzer local interface mgmt capture-filter "tcp port 22"
If there is a lot of traffic you can also capture this to a file on bootflash:, retrieve it and look at it with Wireshark using the following command:
ethanalyzer local interface mgmt capture-filter "tcp port 22" write bootflash:ssh.pcap
Further Problem Description
The IP address of the client has been added to the syslog message:
%DAEMON-2-SYSTEM_MSG: fatal: No matching ciphers found. Client (192.168.1.2) supported ciphers: 3des-cbc,blowfish-cbc. Server supported ciphers: aes128-ctr,aes192-ctr,aes256-ctr - sshd
