Unable to Cisco IOS due to KexAlgorithms

Archives Ansible Project
1

Hi Team,

While I am trying to run an ansible playbook to connect to a Cisco IOS switch, it is throwing me the following error which is related to KexAlgorithms (diffie-hellman-group1-sha1).

Ansible-playbook run log:

[FinAdmin@gns-ansible playbooks]$ ansible-playbook image_copy_cisco_ios.yaml --limit ‘twddxcsw04’

PLAY [Copy image file to device] ************************************************************************************************************************************************************

TASK [ twddxcsw04 Normalize variables] *********************************************************************************************************************************************************

ok: [ twddxcsw04 ]

TASK [Get Hardware Type of Remote Device.] **************************************************************************************************************************************************

fatal: [ twddxcsw04 ]: FAILED! => {“changed”: false, “msg”: “ssh connection failed: ssh connect failed: kex error : no match for method kex algos: server [diffie-hellman-group1-sha1], client [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1]”}

PLAY RECAP **********************************************************************************************************************************************************************************

twddxcsw04 : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

I tried to fix it by adding Kex Algo to ‘/etc/ssh/ssh_config file’. After that I can ssh to the switch

[Host 10.xx.xx.*

KexAlgorithms +diffie-hellman-group1-sha1]

SSH output:

[Admin@ gns-ansible playbooks]$ ssh user1@twddxcsw04

C

2

What does your inventory look like?

3

Hey Bikram,

Do you face a similar issue when the connection is set to libssh?
Try using ansible_network_cli_ssh_type=libssh
And, would you share some details of your environment, and which appliance version you are using?

Regards,

Sagar Paul

4

Hi Sagar,

Yes, I tried settings ansible_network_cli_ssh_type = libssh and ansible_network_cli_ssh_type=paramiko but no success.
I think libssh is the default ssh type for ansible.

I wanted to know if ansible supports Cisco IOS soft version: 12.2(55)SE10.

This version will not allow you to change KEX algo or any other crypto information.

Thanks
Bikram

5

Hi Dick,

Here is the sample of my inventory:

[ios]
twddxcsw04 ansible_host = 10.x.x.x ansible_ssh_user=xxxx ansible_ssh_pass=xxxx

Thanks
Bikram

6

I had a very similar problem that was resolved by creating a file called config under the users .ssh directory. this file contains

Host k200 hoitsw0* hosw0 hoswe0* mislxsrv stage instore central zzswm01 sysadm rvswm0* clswm0* cmswa0* cmswm0* crsw* gwswm*
Ciphers +aes256-cbc,3des-cbc
KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
HostKeyAlgorithms +ssh-dss

I hope that helps you!

7

I don’t see you setting ansible_connection anywhere.
According to
https://docs.ansible.com/ansible/latest/network/user_guide/network_best_practices_2.5.html that is recommended.
There are a bunch of other settings as well

8

Hi Dick,

ansible_connection is ‘ansible.netcommon.network_cli’ which is inside the playbook.

Thanks
Bikram