This document covers how to address Security Management Appliance (SMA) and Email Security Appliance (ESA) integration failures resulting in errors: "(3, 'Could not find matching key exchange algorithm.') or "Unexpected EOF on connect" and additional symptoms.
SMA connection to ESA while first integrating, SMA offers the following ciphers/key exchange algorithms to the ESA:
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
The issue exists when integrating the SMA to the ESA from the GUI > Management Appliance > Centralized Services > Security Appliances or the CLI > applianceconfig. The issue will prompt an error on connection, this is due to the ESA missing some of the kex algorithms/cipher algorithms.
1. (3, 'Could not find matching key exchange algorithm.') 2. Error — Unexpected EOF on connect.
To resolve this, the ESA ssh cipher configuration needs to be bought back to the default values provided:
Choose the operation you want to perform:
- SSHD - Edit SSH server settings.
- USERKEY - Edit SSH User Key settings
- ACCESS CONTROL - Edit SSH whitelist/blacklist
ssh server config settings:
Public Key Authentication Algorithms:
Minimum Server Key Size:
The output from the CLI > sshconfig > sshd on the step by step setup:
Enter the Public Key Authentication Algorithms do you want to use [rsa1,ssh-dss,ssh-rsa]>
Enter the Cipher Algorithms do you want to use [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,email@example.com]>
Enter the MAC Methods do you want to use [hmac-md5,hmac-sha1,firstname.lastname@example.org,hmac-ripemd160,email@example.com,hmac-sha1-96,hmac-md5-96]>
Enter the Minimum Server Key Size do you want to use >
Enter the KEX Algorithms do you want to use [diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521]>