Unable to Cisco IOS due to KexAlgorithms

[Bikram]

Hi Team,

While I am trying to run an ansible playbook to connect to a Cisco IOS switch, it is throwing me the following error which is related to KexAlgorithms (diffie-hellman-group1-sha1).

Ansible-playbook run log:

[FinAdmin@gns-ansible playbooks]$ ansible-playbook image_copy_cisco_ios.yaml --limit 'twddxcsw04'

PLAY [Copy image file to device] ************************************************************************************************************************************************************

 

TASK [ twddxcsw04  Normalize variables] *********************************************************************************************************************************************************

ok: [ twddxcsw04  ]

 

TASK [Get Hardware Type of Remote Device.] **************************************************************************************************************************************************

fatal: [ twddxcsw04    ]: FAILED! => {"changed": false, "msg": "ssh connection failed: ssh connect failed: kex error : no match for method kex algos: server [diffie-hellman-group1-sha1], client [curve25519-sha256,curve255...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1]"}

 

PLAY RECAP **********************************************************************************************************************************************************************************

twddxcsw04                   : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

I tried to fix it by adding Kex Algo to '/etc/ssh/ssh_config file'. After that I can ssh to the switch

[Host 10.xx.xx.*

        KexAlgorithms +diffie-hellman-group1-sha1]

SSH output:

[Admin@ gns-ansible   playbooks]$ ssh user1@twddxcsw04

C

********************************************************************************

********************************************************************************

**                       WARNING!   WARNING!   WARNING!                       **

********************************************************************************

********************************************************************************

**          Unauthorized access to this system is strictly prohibited         **

**             Unauthorized access will be subject to legal action            **

**               If you are not authorized to access this system              **

**               D I S C O N N E C T     I M M E D I A T E L Y  !             **

********************************************************************************

(user1@twddxcsw04  ) Password:

Even after adding the Kex Algo to the file above, ansible is giving me the same error. I also tried to add an argument as variable to the vars file as below but no luck.

ansible_ssh_common_args: '-o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-rsa -o Ciphers=+aes256-cbc'

In summary, even though ssh works, ansible-playbook fails.

A resolution is much appreciated.

Thank you.

Bikram Biswas

 

[Dick Visser]

What does your inventory look like?

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAEFfMJQbSjJknKyJsY9YhmOObssb-%2BChcRnqRcVsGWco1d1gKA%40mail.gmail.com.

--

Sent from Gmail Mobile

[Sagar Paul]

Hey Bikram,

Do you face a similar issue when the connection is set to libssh?
Try using ansible_network_cli_ssh_type=libssh
And, would you share some details of your environment, and which appliance version you are using?

Regards,

Sagar Paul

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAF8BbLat4saM0O36wMVcHyKetcRMe1NODSDqxA3dE9T2Zq8HNw%40mail.gmail.com.

[Bikram]

Hi Sagar,

Yes, I tried settings ansible_network_cli_ssh_type = libssh and ansible_network_cli_ssh_type=paramiko but no success.

I think libssh is the default ssh type for ansible.

I wanted to know if ansible supports Cisco IOS soft version: 12.2(55)SE10.

This version will not allow you to change KEX algo or any other crypto information.

Thanks

Bikram

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAEs9WgY5P0HDUehidA_oDdaT-ptYYfxAsR9SLByRNBr_qc%3DqTA%40mail.gmail.com.

[Bikram]

Hi Dick,

Here is the sample of my inventory:

[ios]

twddxcsw04   ansible_host = 10.x.x.x   ansible_ssh_user=xxxx    ansible_ssh_pass=xxxx

Thanks

Bikram

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAF8BbLat4saM0O36wMVcHyKetcRMe1NODSDqxA3dE9T2Zq8HNw%40mail.gmail.com.

[dbs34]

I had a very similar problem that was resolved by creating a file called config under the users .ssh directory.  this file contains

Host k200 hoitsw0* hosw*0* hoswe0* mislxsrv stage instore central zzswm01 sysadm rvswm0* clswm0* cmswa0* cmswm0* crsw* gwswm*
    Ciphers +aes256-cbc,3des-cbc
    KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
    HostKeyAlgorithms +ssh-dss

I hope that helps you!

[Dick Visser]

I don't see you setting ansible_connection anywhere. 

According to 

https://docs.ansible.com/ansible/latest/network/user_guide/network_best_practices_2.5.html that is recommended. 

There are a bunch of other settings as well 

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAEFfMJTwqxzWksV9Z_tdEydph3sFq81DeSHbA-FNKuuUaTZNxw%40mail.gmail.com.

[Bikram]

Hi Dick,

ansible_connection  is 'ansible.netcommon.network_cli' which is inside the playbook.

Thanks

Bikram

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAF8BbLbHN%2B9YOJEx8LZV6S3_VcJqqE-nxuhG0DLjXADzhXZT0A%40mail.gmail.com.