PDF(74.9 KB) View with Adobe Reader on a variety of devices
ePub(77.5 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(73.2 KB) View on Kindle device or Kindle app on multiple devices
Updated:April 4, 2019
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document covers how to address Security Management Appliance (SMA) and Email Security Appliance (ESA) integration failures resulting in errors: "(3, 'Could not find matching key exchange algorithm.') or "Unexpected EOF on connect" and additional symptoms.
SMA connection to ESA while first integrating, SMA offers the following ciphers/key exchange algorithms to the ESA:
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
The issue exists when integrating the SMA to the ESA from the GUI > Management Appliance > Centralized Services > Security Appliances or the CLI > applianceconfig. The issue will prompt an error on connection, this is due to the ESA missing some of the kex algorithms/cipher algorithms.
1. (3, 'Could not find matching key exchange algorithm.') 2. Error — Unexpected EOF on connect.
To resolve this, the ESA ssh cipher configuration needs to be bought back to the default values provided:
Choose the operation you want to perform:
- SSHD - Edit SSH server settings.
- USERKEY - Edit SSH User Key settings
- ACCESS CONTROL - Edit SSH whitelist/blacklist
ssh server config settings:
Public Key Authentication Algorithms:
Minimum Server Key Size:
The output from the CLI > sshconfig > sshd on the step by step setup:
Enter the Public Key Authentication Algorithms do you want to use [rsa1,ssh-dss,ssh-rsa]>
Enter the Cipher Algorithms do you want to use [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,firstname.lastname@example.org]>
Enter the MAC Methods do you want to use [hmac-md5,hmac-sha1,email@example.com,hmac-ripemd160,firstname.lastname@example.org,hmac-sha1-96,hmac-md5-96]>
Enter the Minimum Server Key Size do you want to use >
Enter the KEX Algorithms do you want to use [diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521]>