Unable to negotiate with UNKNOWN port 65535: no matching key exchange method found.

Modified on Mon, 7 Nov, 2022 at 1:31 PM

Authentication server fails to connect to Management Console (MC), sdotun service is not started or flapping (restarts every a few milliseconds.

The issue:

When ssh to management nodes, receiving following error message:

Unable to negotiate with UNKNOWN port 65535: no matching key exchange method found. Their offer: curve25519-sha256 Unable to negotiate with UNKNOWN port 65535: no matching key exchange method found. Their offer: curve25519-sha256

Use “-o KexAlgorithms=curve25519-sha256” to enable the key exchange algorithm, then receiving following error:

Unable to negotiate with UNKNOWN port 65535: no matching cipher found. Their offer: chacha20-poly1305@openssh.com

Added “-o KexAlgorithms=curve25519-sha256 -o cipher=chacha20-poly1305@openssh.com” to ssh parameters, the issue is gone.

 


When you run journal, you can see the following print: Unable to negotiate with UNKNOWN port 65535: no matching key exchange method found. Their offer: curve25519-sha256


When you try to connect with sdo user to MC using ssh, you will see the following error:



When you try to connect with sdo user to MC using ssh -v, you will see the following error:




Cause:

Allowed algorithms in /etc/crypto-policies/back-ends/openssh.config is different from other working nodes.

On the node had this issue, /etc/crypto-policies/back-ends/openssh.config is link to /usr/share/crypto-policies/FIPS/openssh.txt while working nodes are link to /usr/share/crypto-policies/DEFAULT/openssh.txt which has a wider list of algorithms.

 

Fix:

Switch to /usr/share/crypto-policies/DEFAULT/openssh.txt fixed the issue with a soft link:


ln -s /usr/share/crypto-policies/DEFAULT/openssh.txt /etc/crypto-policies/back-ends/openssh.config

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article