Data Protection Advisor: Data Domain SSH requests fail

Summary: All Data Protection Advisor (DPA) Data Domain SSH requests for one Data Domain fail with error "Unable to exchange encryption keys."

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

All DPA Data Domain SSH requests for one Data Domain fail with error "Unable to exchange encryption keys."

The following warning message is seen in dpaagent.log for the Agent that is used to collect from this Data Domain:

WARN    14276.10356    20200103:164719              com.ssh - aapiSSHInitSession(): Error starting ssh session for host <DD_hostname_or_IP>. -5: Unable to exchange encryption keys

Cause

SSH ciphers or macs in use by the DPA Agent do not match the SSH ciphers or macs on the Data Domain that DPA is attempting to collect from.

Resolution

In order to successfully communicate using SSH, both devices must use the same cipher or mac set. If a common cipher or mac set cannot be found between the two devices, then the SSH connection fails. The cipher or mac set must be updated on either or both of the devices attempting to communicate to resolve this issue.

Follow the below steps:

  1. Run the below command on the Data Domain.
adminaccess ssh option show

Its output looks like this:
 
Option            Value                                                                                                                                                                                       
---------------   -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
session-timeout   default (infinite)                                                                                                                                                                          
server-port       default (22)                                                                                                                                                                                
ciphers           aes256-cbc,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com                                                                                                      
macs              umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
---------------   -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  1. For the ciphers in that output, confirm if they contain any of the below ones. 
aes256-cbc, rijndael-cbc@lysator.liu.se, aes192-cbc, aes128-cbc, arcfour128, arcfour,3des-cbc 

If not, run the below command on the Data Domain:
 

adminaccess ssh option set ciphers 'aes256-cbc,<existing_ciphers_on_DD>'

  1. For the macs in that output, confirm if they contain any of the below ones. 
hmac-sha2-256, hmac-sha2-512, hmac-sha1, hmac-sha1-96, hmac-md5, hmac-md5-96

If not, run the below command on the Data Domain. 

adminaccess ssh option set macs'hmac-sha2-256,hmac-sha2-512,<existing_macs_on_DD>'

 

Contact Dell Technologies Technical Support for further details or information.

Affected Products

Data Protection Advisor
Article Properties
Article Number: 000072088
Article Type: Solution
Last Modified: 27 Aug 2025
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.