can't agree on kex algorithms after upgrading 6900 OS

[jglatorre]

Hello Engineers,

I need some help to trying to figure out the problem here, I have made an upgrade of my OS6900 to this version:
Description: Alcatel-Lucent Enterprise OS6900-X48C6 8.9.107.R02 GA, March 16, 2023.,
But I noticed that I can't jump into the switch from my router or other switches located on the same network, I did try from my router, and this message appear:

Router Mikrotik SAN CAYETANO > system ssh 172.16.0.1 user=admin
can't agree on KEX algorithms

As recommended on the release notes for OmniSwitch AOS Release 8.9R2 Release Notes (Rev. D) I tried changing these options:
https://www.al-enterprise.com/-/media/a ... -rev-d.pdf

SW_BOGOTA_REGIONAL_CORE show ssh
Ssh Admin-State = Enabled
Ssh Port = 22
Ssh Enforce-Pubkey-Auth = Disabled
Ssh Strong-Ciphers = Enabled/disabled
Ssh Strong-Hmacs = Disabled/enabled
Ssh login-grace-time = 600 seconds
Ssh AllowTcpForwarding = NONE

But didn't work, I can have access via ssh using Putty with the latest version.

Looking forward for your reply.

[Gleylancer]

Check the encryption logs on the Mikrotik Device to see why the key exchange fails. My guess is that the device doesn't support the minimum encryption required by the OS6900.

[jglatorre]

Thank you, I'll verify... should I look up for some specific item?, Looking in Mikrotik forums, I found that I could change some features on the router:

On Router Mikrotik:

/ip ssh set strong-crypto=yes
/ip ssh set strong-crypto=no

However the error message is the same, at the end of the post they said: "how to permit weaker ciphers at their end" (Alcatel Device)

This is the forum: https://forum.mikrotik.com/viewtopic.php?t=167351

[silvio]

You see it in your own output from "show ssh": you have to disable strong-ciphers and/or strong-hmacs.
f.e. ssh strong-ciphers disable

[jglatorre]

Thank you for your reply,

This is how the ssh config looks like:

SW_BOGOTA_REGIONAL_CORE show ssh
Ssh Admin-State = Enabled
Ssh Port = 22
Ssh Enforce-Pubkey-Auth = Disabled
Ssh Strong-Ciphers = Disabled
Ssh Strong-Hmacs = Disabled
Ssh login-grace-time = 600 seconds
Ssh AllowTcpForwarding = NONE

I had tried enabling Strong-Ciphers and Ssh Strong-Hmacs, but still not working. I have already upgraded the Mikrotik version, however I can't connect to the switch jumping from the router, but, I can jump into the switch with putty in the same LAN.

Mikrotik Router Version: Mikrotik 7.11.1 Stable
Release tree: https://mikrotik.com/download/changelogs

Best regards

[Gleylancer]

Are you viewing the configuration for the ssh server or the ssh client? Or both?

And as I've said previously, check the logs. Enable ssh debug if necessary. This is the only way of actually finding out what's happening.

[jglatorre]

Thank you, I'll try, the previous show ssh in from the Alcatel Switch.