Exception is thrown when devices with old kex algorithms (SHA1) try to callhome to ODL.
This issue looks similar to fixed NETCONF-765 (SHA1 Nodes working properly if we add them without callhome) and probably related to disabled SHA1 algorithm in Mina SSHD since 2.6.0, but some devices cannot be upgraded with new SSH modules (i.e. use new KEX algorithms ).
debug.log details :
2022-06-18T19:40:33.297Z||entLoopGroup-4-1|INFO |LoggingHandler |72 - io.netty.common - 4.1.69.Final|[id: 0x4914be67, L:/0.0.0.0:6666] READ: [id: 0x5d01a013, L:/10.233.72.16:6666 - R:/10.233.64.27:64288] 2022-06-18T19:40:33.299Z||entLoopGroup-4-1|INFO |LoggingHandler |72 - io.netty.common - 4.1.69.Final|[id: 0x4914be67, L:/0.0.0.0:6666] READ COMPLETE 2022-06-18T19:40:33.308Z||entLoopGroup-4-1|WARN |ClientSessionImpl |402 - org.opendaylight.netconf.shaded-sshd - 2.0.11|exceptionCaught(ClientSessionImpl[null@/10.233.64.27:64288])[state=Opened] SshException: Unable to negotiate key exchange for kex algorithms (client: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,ext-info-c / server: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1) 2022-06-18T19:40:33.308Z||entLoopGroup-4-1|INFO |ClientSessionImpl |402 - org.opendaylight.netconf.shaded-sshd - 2.0.11|Disconnecting(ClientSessionImpl[null@/10.233.64.27:64288]): SSH2_DISCONNECT_KEY_EXCHANGE_FAILED - Unable to negotiate key exchange for kex algorithms (client: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,ext-info-c / server: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1)
- is blocked by
-
NETCONF-942 Callhome session is closed after allowing device to connect
- Resolved
- relates to
-
NETCONF-765 Auth failed - Unable to negotiate key exchange for kex algorithms
- Resolved