Not able to retrieve configuration for Cisco IOS XE Software, Version 17.12.03

[thomasbruchet]

Hello;

I've an issue with connection to and Cisco IOS XE Software, Version 17.12.03

Oxidized was installed by a former colleague who no longer works here, and I've taken over the subject, but I don't have all the control he might have had.
He installed it with the docker container and maybe that's where the problem lies.

From the host machine, I have no problem connecting to the switch.

xxxxxxxxxxxx:~# ssh -v  xxxxxxxxxx@10.200.99.125
OpenSSH_7.9p1 Debian-10+deb10u4, OpenSSL 1.1.1n  15 Mar 2022
debug1: Reading configuration data /root/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 10.200.99.125 [10.200.99.125] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type 0
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u4
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: match: Cisco-1.25 pat Cisco-1.* compat 0x60000000
debug1: Authenticating to 10.200.99.125:22 as 'xxxxxxxxxxxx'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:o+UBEebLKXmI/FLBVPoVwXj83TUAHOzpfujbzKdKvr0
debug1: Host '10.200.99.125' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:67
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: Will attempt key: /root/.ssh/id_rsa RSA SHA256:pLeWjgcA2acvPtQbSCeK1th77JY3PEa7weIggkyQCQQ
debug1: Will attempt key: /root/.ssh/id_dsa
debug1: Will attempt key: /root/.ssh/id_ecdsa
debug1: Will attempt key: /root/.ssh/id_ed25519
debug1: Will attempt key: /root/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512,x509v3-rsa2048-sha256>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive,password
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa RSA SHA256:pLeWjgcA2acvPtQbSCeK1th77JY3PEa7weIggkyQCQQ
debug1: Authentications that can continue: publickey,keyboard-interactive,password
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: Trying private key: /root/.ssh/id_xmss
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 10.200.99.125 ([10.200.99.125]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: Sending environment.
debug1: Sending env LANG = fr_FR.UTF-8
xxxxxxxxxxx1#

However, when I ask Oxidized to connect to retrieve the configuration, nothing comes back and the log file is empty.

/opt/docker/apps/oxidized/data# cat logs/10.200.99.125-ssh

Here are the oxidized logs

/opt/docker/apps/oxidized/data# docker logs e11c582084e9 -f -n 30
Dec 19 08:00:49 e11c582084e9 oxidized[26]: 10.200.99.125 raised Net::SSH::Exception (rescued RuntimeError) with msg "could not settle on hmac_client algorithm"
Reloading config...
Dec 19 08:01:45 e11c582084e9 oxidized[26]: lib/oxidized/nodes.rb: Loading nodes
Dec 19 08:01:45 e11c582084e9 oxidized[26]: lib/oxidized/nodes.rb: Loaded 90 nodes
Dec 19 08:01:46 e11c582084e9 oxidized[26]: negotiating protocol version
Dec 19 08:01:46 e11c582084e9 oxidized[26]: sending KEXINIT
Dec 19 08:01:46 e11c582084e9 oxidized[26]: got KEXINIT from server
Dec 19 08:01:46 e11c582084e9 oxidized[26]: negotiating algorithms
Dec 19 08:01:46 e11c582084e9 oxidized[26]: 10.200.99.125 raised Net::SSH::Exception (rescued RuntimeError) with msg "could not settle on hmac_client algorithm"
Dec 19 08:03:00 e11c582084e9 oxidized[26]: 10.200.99.125 raised Errno::ETIMEDOUT with msg "Connection timed out - connect(2) for "10.200.99.125" port 23"
Dec 19 08:03:00 e11c582084e9 oxidized[26]: client_name:device_name not found, removed while collecting?
Dec 19 08:03:57 e11c582084e9 oxidized[26]: 10.200.99.125 raised Errno::ETIMEDOUT with msg "Connection timed out - connect(2) for "10.200.99.125" port 23"
Dec 19 08:03:57 e11c582084e9 oxidized[26]: client_name:device_name status no_connection, retry attempt 1
Dec 19 08:03:57 e11c582084e9 oxidized[26]: negotiating protocol version
Dec 19 08:03:57 e11c582084e9 oxidized[26]: sending KEXINIT
Dec 19 08:03:57 e11c582084e9 oxidized[26]: got KEXINIT from server
Dec 19 08:03:57 e11c582084e9 oxidized[26]: negotiating algorithms
Dec 19 08:03:57 e11c582084e9 oxidized[26]: 10.200.99.125 raised Net::SSH::Exception (rescued RuntimeError) with msg "could not settle on hmac_client algorithm"
Dec 19 08:06:08 e11c582084e9 oxidized[26]: 10.200.99.125 raised Errno::ETIMEDOUT with msg "Connection timed out - connect(2) for "10.200.99.125" port 23"
Dec 19 08:06:08 e11c582084e9 oxidized[26]: client_name:device_name status no_connection, retry attempt 2
Dec 19 08:06:08 e11c582084e9 oxidized[26]: negotiating protocol version
Dec 19 08:06:08 e11c582084e9 oxidized[26]: sending KEXINIT
Dec 19 08:06:08 e11c582084e9 oxidized[26]: got KEXINIT from server
Dec 19 08:06:08 e11c582084e9 oxidized[26]: negotiating algorithms
Dec 19 08:06:08 e11c582084e9 oxidized[26]: 10.200.99.125 raised Net::SSH::Exception (rescued RuntimeError) with msg "could not settle on hmac_client algorithm"
Dec 19 08:08:19 e11c582084e9 oxidized[26]: 10.200.99.125 raised Errno::ETIMEDOUT with msg "Connection timed out - connect(2) for "10.200.99.125" port 23"
Dec 19 08:08:19 e11c582084e9 oxidized[26]: client_name:device_name status no_connection, retries exhausted, giving up
Reloading config...
Dec 19 08:11:46 e11c582084e9 oxidized[26]: lib/oxidized/nodes.rb: Loading nodes
Dec 19 08:11:47 e11c582084e9 oxidized[26]: lib/oxidized/nodes.rb: Loaded 90 nodes

Here is the log from the docker itself, I did not replied yes, to not create more issue than this one and to be able to debug in that state.

root@e11c582084e9:/# ssh -v  xxxxxxxxxxx@10.200.99.125
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n  7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 10.200.99.125 [10.200.99.125] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: match: Cisco-1.25 pat Cisco-1.* compat 0x60000000
debug1: Authenticating to 10.200.99.125:22 as 'xxxxxxxxxxxxx'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:o+UBEebLKXmI/FLBVPoVwXj83TUAHOzpfujbzKdKvr0
The authenticity of host '10.200.99.125 (10.200.99.125)' can't be established.
RSA key fingerprint is SHA256:o+UBEebLKXmI/FLBVPoVwXj83TUAHOzpfujbzKdKvr0.
Are you sure you want to continue connecting (yes/no)?

Here is the oxidized configuration in file: "router.db "
client_name:device_name:10.200.99.125:Cisco

Here is the oxidized configuration in file: "config"

xxxxxxxxxxx:/opt/docker/apps/oxidized/data# cat config
---
interval: 21600
use_syslog: true
log: ~/.config/oxidied/logs
debug: true
model: ios
resolve_dns: false
threads: 30
use_max_threads: true
timeout: 180
retries: 2
prompt: !ruby/regexp /^([\w.@-]+[#>]\s?)$/
rest: 0.0.0.0:8888
next_adds_job: true

#pid: ~/.config/oxidized/oxidized.pid
pid: /dev/null

ssh_no_keepalive: false

vars:
#  auth_methods: [ "none", "password", "keyboard-interactive" ] -- edit 18/12/2024
  auth_methods: [ "none", "publickey", "password", "keyboard-interactive" ]

  remove_secret: false

input:
#  default: ssh, telnet -- edit 18/12/2024
default: ssh
  debug: true
  ssh:
    secure: false

output:
  default: git
  file:
    directory: ~/.config/oxidized/configs

  git:
    user: adm-oxid
    email: o@example.com
    single_repo: true
    repo: ~/.config/oxidized/devices.git/.git

source:
  default: csv
  csv:
    file: ~/.config/oxidized/router.db
    delimiter: !ruby/regexp /:/
    map:
      group: 0
      name: 1
      ip: 2
      model: 3
      username: 4
      password: 5
      enable_password: 6

hooks:
  hook_backup_ok:
    type: exec
    events: [node_success]
    cmd: 'echo "Node success $OX_NODE_NAME" >> /tmp/ox_node_success.log'


# Pour gérer les exceptions :
models:
  asa:
    vars:
      enable: password
#  ios:
#    vars:
#      enable: password
  aloha:
    username: adminaccount
    password: password
  aireos:
    username: adminaccount
    password: password
#  powerconnect:
#    vars:
#      enable: true
  powerconnect6224:
    vars:
      enable: true




model_map:
  Asa: asa
  Cisco: ios
  Fortigate: fortios
  Brocade: fabricos
  DELL Powerconnect: powerconnect
  powerconnect6224: powerconnect6224
#  PowerConnect: PowerConnect
  DELL nSeries: delln
  HP: procurve
  Radware: linkproof
  Lenovo: ibm
  HAProxy: aloha
  WCL: aireos
  Backbone: backbone
  PaloAlto: panos
  Checkpoint: gaiaos
  Nexus: nxos
  ArubaAP: arubaapos

username: adminaccount
password: password

I've looked into it and it's an error that seems to append but my linux knowledge is not enought to work on it, but either there's no effective solution or I don't know how to implement it.

Could you please help me?
Is answer yes will bypass the error for everytime ?

Thank you.

[kajtzu]

Your problem, could not settle on hmac_client algorithm is similar to what has been reported previously in for example #3067. Either use more recent libraries *probably better) or (temporarily) relax the IOS-XE side to allow a HMAC which is supported by the current libraries.

[thomasbruchet]

Hello

I've fully upgraded my Debian server and oxidized:latest but I still have the issue.

lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 12 (bookworm)
Release:        12
Codename:       bookworm

# ssh -v localhost
OpenSSH_9.2p1 Debian-2+deb12u3, OpenSSL 3.0.15 3 Sep 2024

The issue:

Reloading config...
Jan  6 09:42:47 04a25e3023a3 oxidized[30]: lib/oxidized/nodes.rb: Loading nodes
Jan  6 09:42:48 04a25e3023a3 oxidized[30]: lib/oxidized/nodes.rb: Loaded 90 nodes
Jan  6 09:48:28 04a25e3023a3 oxidized[30]: negotiating protocol version
Jan  6 09:48:28 04a25e3023a3 oxidized[30]: sending KEXINIT
Jan  6 09:48:28 04a25e3023a3 oxidized[30]: got KEXINIT from server
Jan  6 09:48:28 04a25e3023a3 oxidized[30]: negotiating algorithms
Jan  6 09:48:28 04a25e3023a3 oxidized[30]: 10.200.99.125 raised Net::SSH::Exception (rescued RuntimeError) with msg "could not settle on hmac_client algorithm"
Jan  6 09:48:29 04a25e3023a3 oxidized[30]: xxxxxx/xxxxxxxxxxx status no_connection, retry attempt 1
Jan  6 09:48:29 04a25e3023a3 oxidized[30]: negotiating protocol version
Jan  6 09:48:29 04a25e3023a3 oxidized[30]: sending KEXINIT
Jan  6 09:48:29 04a25e3023a3 oxidized[30]: got KEXINIT from server
Jan  6 09:48:29 04a25e3023a3 oxidized[30]: negotiating algorithms
Jan  6 09:48:29 04a25e3023a3 oxidized[30]: 10.200.99.125 raised Net::SSH::Exception (rescued RuntimeError) with msg "could not settle on hmac_client algorithm"
Jan  6 09:48:30 04a25e3023a3 oxidized[30]: xxxxxx/xxxxxxxxxxx status no_connection, retry attempt 2
Jan  6 09:48:30 04a25e3023a3 oxidized[30]: negotiating protocol version
Jan  6 09:48:30 04a25e3023a3 oxidized[30]: sending KEXINIT
Jan  6 09:48:30 04a25e3023a3 oxidized[30]: got KEXINIT from server
Jan  6 09:48:30 04a25e3023a3 oxidized[30]: negotiating algorithms
Jan  6 09:48:30 04a25e3023a3 oxidized[30]: 10.200.99.125 raised Net::SSH::Exception (rescued RuntimeError) with msg "could not settle on hmac_client algorithm"
Jan  6 09:48:31 04a25e3023a3 oxidized[30]: xxxxxx/xxxxxxxxxxx status no_connection, retries exhausted, giving up
^Ccontext canceled

On the switch the log say that the cipher and hmac are empty even if I use some that are used when I do a manual connection
cipher 'aes128-ctr', hmac 'hmac-sha2-256-etm@openssh.com'

I've updated router.db and config file to map hmac and cipher like this exemple: https://github.com/ytti/oxidized/blob/master/docs/Configuration.md

file config

    map:
      group: 0
      name: 1
      ip: 2
      model: 3
      ssh_hmac: 4
      ssh_encryption: 5

router.db:

CLIENT:SWITCH:10.200.99.125:Cisco:hmac-sha2-256-etm@openssh.com:aes128-ctr

I've tried without the @xxxx and the result is the same

CLIENT:SWITCH:10.200.99.125:Cisco:hmac-sha2-256-etm:aes128-ctr

And the log of the switch, at the end we see that he don't use the cipher

[syslog@9 s_sn="61006" s_tc="155794"]: Jan  6 10:24:30.157: %SSH-3-NO_MATCH: No matching mac found: client hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-96,hmac-sha2-256-96,hmac-sha1,hmac-sha1-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-md5,hmac-md5-96,none server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
[syslog@9 s_sn="61007" s_tc="155795"]: Jan  6 10:24:30.157: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.200.22.1 (tty = 1) using crypto cipher '', hmac '' Failed
[syslog@9 s_sn="61008" s_tc="155796"]: Jan  6 10:24:30.157: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.200.22.1 (tty = 1) for user '' using crypto cipher '', hmac '' closed
[syslog@9 s_sn="61009" s_tc="155797"]: Jan  6 10:24:31.438: %SSH-3-NO_MATCH: No matching mac found: client hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-96,hmac-sha2-256-96,hmac-sha1,hmac-sha1-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-md5,hmac-md5-96,none server hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
[syslog@9 s_sn="61010" s_tc="155798"]: Jan  6 10:24:31.438: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.200.22.1 (tty = 1) using crypto cipher '', hmac '' Failed
[syslog@9 s_sn="61011" s_tc="155799"]: Jan  6 10:24:31.438: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.200.22.1 (tty = 1) for user '' using crypto cipher '', hmac '' closed

Here is the of the SSH manual connection from the VM that host the oxidized docker

[syslog@9 s_sn="61099" s_tc="155887"]: Jan  6 10:40:40.729: %SSH-5-SSH_COMPLIANCE_VIOLATION_HOSTK_ALGO: SSH Host-key Algorithm compliance violation detected.Kindly note that weaker Host-key Algorithm 'ssh-rsa' will be disabled by-default in the upcoming releases.Please configure more stronger Host-Key algorithms to avoid service impact.
[syslog@9 s_sn="61100" s_tc="155888"]: Jan  6 10:40:40.978: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.200.22.1 (tty = 0) using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
[syslog@9 s_sn="61101" s_tc="155889"]: Jan  6 10:40:46.979: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: login] [Source: 10.200.22.1] [localport: 22] at 10:40:46 UTC Mon Jan 6 2025
[syslog@9 s_sn="61102" s_tc="155890"]: Jan  6 10:40:46.979: %SSH-5-SSH2_USERAUTH: User 'login' authentication for SSH2 Session from 10.200.22.1 (tty = 0) using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded

[robertcheramy]

Are you using the official oxidized docker image or a self build image?
The supported algorithms depend on the Net::SSH Version, which one are you using?
Can you give the output of gem info net-ssh inside the container?

[thomasbruchet]

Hi

I use the official oxidized docker image oxidized/oxidized,

# docker ps
CONTAINER ID   IMAGE                           COMMAND                  CREATED        STATUS        PORTS                                                                      NAMES
2e27451d4065   oxidized/oxidized:latest        "/sbin/my_init"          22 hours ago   Up 22 hours   127.0.0.1:8888->8888/tcp                                                   oxidized
0642ed39ff79   weseek/nginx-auth-ldap:alpine   "sh -c 'nginx-envsub…"   22 hours ago   Up 22 hours   0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp   nginx

The command don't work

# docker exec -it 2e27451d4065 /bin/bash
root@2e27451d4065:/# gem info net-ssh
ERROR:  While executing gem ... (Gem::CommandLineError)
    Unknown command info
root@2e27451d4065:/#

I do a gem list if that can help you

root@2e27451d4065:/# gem list | grep ssh
net-ssh (5.2.0)

Regards