05-11-2015 11:25 AM
I have my FC switches ( 5100s, Brocade Encryption Switches, M5424s, etc. ) set up and running in FIPS mode. during the ssh login phase of the SAN Health login:
Connection Refused Error Code:30044 No available encryption algorithms match with the server.
Is there an option to get the correct encryption algorithms for SSH enabled? Was this something left out of the SAN Health Software package?
05-11-2015 11:32 AM
Please make sure you are using the latest SAN Health version from http://brocade.com/sanhealth. Also, please first manualy SSH to the switches using something like Putty to make sure the server has the correct encryption algorithms. You'll need to do this from the same server that has SAN Health installed. Please let us know the outcome.
05-11-2015 11:58 AM
Running 4.0.5b ( latest I can find on the Brocade Website )
Using Putty ( 0.63 ) and have been able to ssh manually from the SAN health workstation.
login as: <me>
Appl Primary/Secondary Versions
sxx-b6510-x-x:<me>> fipscfg --verify fips
Standby firmware supports FIPS - PASS
SELF tests check has passed - PASS
Root account check has passed - PASS
Radius check has passed - PASS
Authentication check has passed - PASS
Inflight Encryption check has passed - PASS
IPSec check has passed - PASS
IPv6 policies FIPS compliant - PASS
IPv6 policies FIPS compliant - PASS
SNMP is in read only mode. - PASS
Bootprom access is disabled. - PASS
Firmwaredownload signature verification is enabled. - PASS
Secure config upload/download is enabled. - PASS
SSH DSA Keys check passed - PASS
Inband Management interface is disabled - PASS
Ipsecconfig is disabled. - PASS
Certificates validation has passed - PASS
SSH config is FIPS compliant - PASS
Everything works as expected when SSHing into this host. My Fear is that the FIPS complient algorithms are not built into SAN Health, or are not normally enabled.
02-29-2016 08:29 PM
Latest Version 4.0.6 gives the same message it bombs out straight away
INFO-15:12:20 Starting Session to 10.47.178.90
INFO-15:12:21 Attempt SSH connection to 10.47.178.90 WWN Unknown(Wait 8 seconds)
INFO-15:12:22 Connection Refused Error Code:30044 No available encryption algorithms match with the server.
CLOSE-15:12:22 Check the IP address and login credentials you entered
CLOSE-15:12:22 Check that you can telnet (or SSH) to the switch from this workstation
CLOSE-15:12:22 Try increasing the Time-Out value under the Options menu
ssh works fine directly looks like SAN health ssh issue
03-01-2016 01:47 PM
Is this occuring with SAN Health running against a Cisco 9513 and is it running firmware 6.2(13a)? If so, we have a fix for it in version 4.0.7 which is due out in the next couple weeks. Please let us know at email@example.com if it is and we'll get you a test build of 4.0.7 to run if you are interested. If you'd rather wait until the GA version, please check http://brocade.com/sanhealth in a week or two.
For the SAN Health Online Help see
03-02-2016 07:22 PM
I am getting the similar issue while running on CISCO SAN with latest version of 6.2.
Strange Part is that i am able to successfully run SAN Health on Two Fabrics with same code but I am not able to use it with it other fabrics having same code.
I am able to SSH/TELNET from the same workstation but I am not able to go through from SAN Health.
Would you please help me sharing the latest version so that I can gve it a try. I am sure it will not impact any prodution enviornment since it is not GA.
03-22-2016 07:25 AM
Version 4.07a now talks via ssh to Cisco MDS 9513's v6.2.11c ....waiting on generated report back to see how well it really worked:-)
05-05-2016 04:40 PM
Just to fill in the details for this:
SSH uses Encryption Cyphers and for data integrity verification it uses a Message Authentication Code (MAC) algorithm.
The error message was occurring as we needed to add support for additional MAC type that these boxes/firmware levels started using.
SAN Health 4.0.7 added support for all modern variants of hmac and resolves this issue.
05-22-2017 01:12 PM
SAN Health 4.07 (downloaded 5-22-17) is not working with NX-OS 6.2(19) on 9396s (96 port IBM branded MDS)
Times out at sending "my id". BSH blows up (exits) after using stop activity for early termination. I unchecked "my id" in options. no joy. Seems BSH thinks this is a Brocade switch?
Other switch still running 6.2(13) adds OK.
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2017, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
BIOS: version 5.2.19
loader: version N/A
kickstart: version 6.2(19)
system: version 6.2(19)
BIOS compile time: 05/15/2015
kickstart image file is: bootflash:///m9300-s1ek9-kickstart-mz.6.2.19.bin
kickstart compile time: 1/30/2017 23:00:00 [03/10/2017 15:18:30]
system image file is: bootflash:///m9300-s1ek9-mz.6.2.19.bin
system compile time: 1/30/2017 23:00:00 [03/10/2017 18:14:20]
cisco MDS 9396S 96X16G FC (2 RU) Chassis ("2/4/8/10/16 Gbps FC/Supervisor-4")
Motorola, 476fpe, core 0 with 3891476 kB of memory.
Processor Board ID REDACTED
Device name: REDACTED
05-22-2017 02:54 PM
SAN Health uses the SSH fingerprint to ID the switch type and you're correct, it is failing to find a match for the fingerprint and then defaulting to see if it responds to the Brocade myid command as the next step in trying to determine the switch type.
It's a different issue and unrelated to what's in this old thread.
For support, please email SHAdmin@brocade.com as then we can look at the log and then see what the SSH fingerprint actually is rather than guessing at solution.
That said, it's a fairly solid guess as there are a few new SSH fingerprints and we have already added them into an upcoming patch release. Email SHAdmin@brocade.com and we can get that to you.