Overview:
Backups are an important part of maintaining an NSX-T environment. Troubleshooting backups through the UI can be challenging since the errors are often generic. In this post we’ll begin with a review of NSX-T backup configuration parameters, look at some troubleshooting options performed from the NSX-T Manager CLI, and troubleshoot an SFTP backup failure.
Setting up for SFTP backup on NSX-T:
Let’s begin with a review of the settings, accessed from System, Backup & Restore:
Edit Backup Configuration settings :
Port:
- Port 22 is default for sftp, and should work for most SFTP Server installations.
Protocol:
- Only sftp is supported.
Password:
- Only required to be entered on the first backup, and then leave it blank to reuse the same password on subsequent backups.
Destination Directory:
- A relative path is not supported, an absolute path is required
- An absolute path points to the same location in a file system, regardless of the current working directory. To do that, it must include the root directory
Encryption Passphrase restrictions:
- The passphrase specified must be at least 8 characters in length and must contain at least one lowercase, one uppercase, one numeric character and one special character.
- Record the passphrase since you need to use this same passphrase to restore from the backup
SSH fingerprint:
- The syntax starts with SHA256:
- For example:
- SHA256:gxjoFPjc62jLhS2RPUXgYjvcsxHrCQT2+Hp3HWncNTI
- It can be added automatically if supported by the SFTP server, or it can be collected manually from the server and then entered.
FIPS compliance:
- NSX-T is FIPS compliant as of NSX-T 2.4.0, and requires a FIPS compliant SFTP Server.
Reviewing Supported Cyphers and Macs, making sure your SFTP Server has matching algorithms:
These can be determined from the NSX-T Manager CLI, using the following commands:
root@nsxtmgr02:/etc/ssh# ssh -Q kex root@nsxtmgr02:/etc/ssh# ssh -Q key root@nsxtmgr02:/etc/ssh# ssh -Q cipher root@nsxtmgr02:/etc/ssh# ssh -Q cipher-auth root@nsxtmgr02:/etc/ssh# ssh -Q mac
When a SSH client connects to a server, each side offers lists of connection parameters to the other. If the client and server are unable to agree on a mutual set of parameters then the connection will fail.
From this NSX-T Manager supports the following options:
Key Exchange Methods: curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1
Key Algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-ed25519, rsa-sha2-512, rsa-sha2-256,ssh-rsa
Ciphers: aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, chacha20-poly1305@openssh.com
MACs: hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha2-256, hmac-sha2-512
Compressions: none, zlib@openssh.com, zlib
Setting up an SFTP Server on a VMware Photon OS 3.0 Guest VM:
In my lab, all testing was done with a VMware Photon OS 3.0 Guest VM – Deployed from the following OVA: photon-hw11-3.0-26156e2.ova
- Setup Guest VM with static IP , referencing: https://vmguru.com/2018/10/getting-started-with-photon-os/
- Photon OS default user: root, password: changeme
- SFTP Server is running by default
- There are no additional packages to install:
root@photon-machine [ / ]# sftp usage: sftp [-46aCfpqrv] [-B buffer_size] [-b batchfile] [-c cipher] [-D sftp_server_path] [-F ssh_config] [-i identity_file] [-l limit] [-o ssh_option] [-P port] [-R num_requests] [-S program][-s subsystem | sftp_server] destination
NSX-T Backup Troubleshooting Steps:
- Enter Engineering mode on the NSX-T manager:
nsxtmgr02> st en Password: *************************************************************************** NOTICE TO USERS WARNING! Changes made to NSX Data Center while logged in as the root user can cause system failure and potentially impact your network. Please be advised that changes made to the system as the root user must only be made under the guidance of VMware. *************************************************************************** root@nsxtmgr02:~
- Monitor NSX-T Manager logs during the backup attempt:
root@nsxtmgr02:~# tail -f ./var/log/nvpapi/api_server.log root@nsxtmgr02:~# tail -f ./var/log/proton/nsxapi.log
- Use ncat (nc) to verify the SFTP server IP and port are accessible:
root@nsxtmgr02:~# nc -zv 192.168.70.50 22 Connection to 192.168.70.50 22 port [tcp/ssh] succeeded!
- To collect the public key from your SFTP Server, to be used as the SSH fingerprint, using a Photon OS 3.0 Server as an example :
root@photon-machine [ ~ ]# cat /etc/ssh/sshd_config | grep HostKey HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key root@photon-machine [ ~ ]# cd /etc/ssh root@photon-machine [ /etc/ssh ]# ls -larth *.pub -rw-r--r-- 1 root root 401 Jun 21 10:38 ssh_host_rsa_key.pub -rw-r--r-- 1 root root 609 Jun 21 10:38 ssh_host_dsa_key.pub -rw-r--r-- 1 root root 181 Jun 21 10:38 ssh_host_ecdsa_key.pub -rw-r--r-- 1 root root 101 Jun 21 10:38 ssh_host_ed25519_key.pub root@photon-machine [ /etc/ssh ]# ssh-keygen -l -f ssh_host_ecdsa_key.pub 256 SHA256:gxjoFPjc62jLhS2RPUXgYjvcsxHrCQT2+Hp3HWncNTI root@photon-machine (ECDSA) <------ Verify that this is the SSH fingerprint being used.
- Test SSH Access from the NSX-T Manager to the SFTP Server:
root@nsxtmgr02:~# ssh root@192.168.70.50 Password: Last login: Fri Jun 28 19:47:12 2019 from 192.168.110.10 21:36:27 up 2 days, 47 min, 3 users, load average: 0.00, 0.00, 0.0
- If SSH fails, then reattempt with maximum verbosity, successful connection shown:
root@nsxtmgr02:~# ssh -vvv root@192.168.70.50 OpenSSH_7.2p2 Ubuntu-4ubuntu2.6, OpenSSL 1.0.2p-fips 14 Aug 2018 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: resolving "192.168.70.50" port 22 debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to 192.168.70.50 [192.168.70.50] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_rsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.6 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.8 debug1: match: OpenSSH_7.8 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to 192.168.70.50:22 as 'root' debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys from 192.168.70.50 debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512 debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512 debug2: compression ctos: none,zlib@openssh.com,zlib debug2: compression stoc: none,zlib@openssh.com,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none debug2: compression stoc: none debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256@libssh.org debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug3: receive packet: type 31 debug1: Server host key: ecdsa-sha2-nistp256 SHA256:gxjoFPjc62jLhS2RPUXgYjvcsxHrCQT2+Hp3HWncNTI debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys from 192.168.70.50 debug1: Host '192.168.70.50' is known and matches the ECDSA host key. debug1: Found key in /root/.ssh/known_hosts:1 debug3: send packet: type 21 debug2: set_newkeys: mode 1 debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey after 4294967296 blocks debug2: key: /root/.ssh/id_rsa ((nil)) debug2: key: /root/.ssh/id_dsa ((nil)) debug2: key: /root/.ssh/id_ecdsa ((nil)) debug2: key: /root/.ssh/id_ed25519 ((nil)) debug3: send packet: type 5 debug3: receive packet: type 7 debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs= debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/id_rsa debug3: no such identity: /root/.ssh/id_rsa: No such file or directory debug1: Trying private key: /root/.ssh/id_dsa debug3: no such identity: /root/.ssh/id_dsa: No such file or directory debug1: Trying private key: /root/.ssh/id_ecdsa debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory debug1: Trying private key: /root/.ssh/id_ed25519 debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug3: send packet: type 50 debug2: we sent a keyboard-interactive packet, wait for reply debug3: receive packet: type 60 debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1
- Test SFTP Server access from the NSX-T Manager to the SFTP Server:
root@nsxtmgr03:/var/log/proton# sftp root@192.168.70.50 The authenticity of host '192.168.70.50 (192.168.70.50)' can't be established. ECDSA key fingerprint is SHA256:gxjoFPjc62jLhS2RPUXgYjvcsxHrCQT2+Hp3HWncNTI. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.70.50' (ECDSA) to the list of known hosts. Password: Connected to 192.168.70.50. sftp> exit
- If SFTP access fails, then reattempt with maximum verbosity, successful connection shown:
root@nsxtmgr02:~# sftp -vvv root@192.168.70.50 OpenSSH_7.2p2 Ubuntu-4ubuntu2.6, OpenSSL 1.0.2p-fips 14 Aug 2018 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: resolving "192.168.70.50" port 22 debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to 192.168.70.50 [192.168.70.50] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_rsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.6 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.8 debug1: match: OpenSSH_7.8 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to 192.168.70.50:22 as 'root' debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys from 192.168.70.50 debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512 debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512 debug2: compression ctos: none,zlib@openssh.com,zlib debug2: compression stoc: none,zlib@openssh.com,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none debug2: compression stoc: none debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256@libssh.org debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug3: receive packet: type 31 debug1: Server host key: ecdsa-sha2-nistp256 SHA256:gxjoFPjc62jLhS2RPUXgYjvcsxHrCQT2+Hp3HWncNTI debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys from 192.168.70.50 debug1: Host '192.168.70.50' is known and matches the ECDSA host key. debug1: Found key in /root/.ssh/known_hosts:1 debug3: send packet: type 21 debug2: set_newkeys: mode 1 debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey after 4294967296 blocks debug2: key: /root/.ssh/id_rsa ((nil)) debug2: key: /root/.ssh/id_dsa ((nil)) debug2: key: /root/.ssh/id_ecdsa ((nil)) debug2: key: /root/.ssh/id_ed25519 ((nil)) debug3: send packet: type 5 debug3: receive packet: type 7 debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs= debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/id_rsa debug3: no such identity: /root/.ssh/id_rsa: No such file or directory debug1: Trying private key: /root/.ssh/id_dsa debug3: no such identity: /root/.ssh/id_dsa: No such file or directory debug1: Trying private key: /root/.ssh/id_ecdsa debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory debug1: Trying private key: /root/.ssh/id_ed25519 debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug3: send packet: type 50 debug2: we sent a keyboard-interactive packet, wait for reply debug3: receive packet: type 60 debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password:
- Transfer a file using SFTP
Find a suitable file to transfer, say /var/log/proton/nsxapi.log root@nsxtmgr03: cd /var/log/proton root@nsxtmgr03:/var/log/proton# ls -larth nsxapi.log -rw-r----- 1 uproton uproton 79M Jun 28 20:15 nsxapi.log Move to the Destination Directory and transfer the sample file: sftp> cd /tmp sftp> put nsxapi.log Uploading nsxapi.log to /tmp/nsxapi.log nsxapi.log 100% 78MB 4.6MB/s 00:17 Verify the file has been successfully transferred: sftp> ls -larth drwx------ 0 0 0 60B Jun 26 20:49 systemd-private-5f7f479451b5457ea04c5800459695c7-systemd-timesyncd.service-BMdu2q drwxrwxrwt 0 0 0 40B Jun 26 20:49 .Test-unix drwxrwxrwt 0 0 0 40B Jun 26 20:49 .font-unix drwxrwxrwt 0 0 0 40B Jun 26 20:49 .XIM-unix drwxrwxrwt 0 0 0 40B Jun 26 20:49 .ICE-unix drwxrwxrwt 0 0 0 40B Jun 26 20:49 .X11-unix drwx------ 0 0 0 60B Jun 26 20:49 systemd-private-5f7f479451b5457ea04c5800459695c7-systemd-resolved.service-xbVg5u drwx------ 0 0 0 60B Jun 26 20:49 systemd-private-5f7f479451b5457ea04c5800459695c7-systemd-networkd.service-Cobwbl drwxr-xr-x 0 0 0 4.0K Jun 26 20:51 .. drwx------ 0 0 0 40B Jun 26 20:51 vmware-root_293-2084453149 drwxr-x--- 0 0 0 60B Jun 28 17:29 cluster-node-backups drwxr-x--- 0 0 0 60B Jun 28 17:32 ccp-backups drwxrwxrwt 0 0 0 280B Jun 28 20:11 . -rw-r----- 0 0 0 78.4M Jun 28 20:16 nsxapi.log <<<<<<<<<
Here is an example of a backup failure reported from the NSX-T Manager UI: “backup operation unknown error”
There isn’t enough detail to identify root cause of the failure. Let’s see what we can learn from the CLI and NSX-T Manager logs.
root@nsxtmgr03:/#tail -f ./var/log/proton/nsxapi.log 2019-06-30T20:37:23.862Z INFO task-executor-20 BackupGenerationServiceImpl - SYSTEM [nsx@6876 comp="nsx-manager" subcomp="manager"] Backing up using cluster filename [/cluster-node-backups/2.4.1.0.0.13716579-e7ef1642-0874-02fb-c93c-ba978da1f374-192.168.110.19/backup-2019-06-30T20_37_23UTC/cluster_backup-e7ef1642-0874-02fb-c93c-ba978da1f374-192.168.110.19-nsx-manager.tar, /cluster-node-backups/2.4.1.0.0.13716579-e7ef1642-0874-02fb-c93c-ba978da1f374-192.168.110.19/backup-2019-06-30T20_37_23UTC/cluster_backup-e7ef1642-0874-02fb-c93c-ba978da1f374-192.168.110.19-nsx-policy-manager.tar], node filename /cluster-node-backups/2.4.1.0.0.13716579-e7ef1642-0874-02fb-c93c-ba978da1f374-192.168.110.19/backup-2019-06-30T20_37_23UTC/node_backup-e7ef1642-0874-02fb-c93c-ba978da1f374-192.168.110.19.tar to URI sftp://192.168.70.50:22/tmp 2019-06-30T20:37:23.863Z INFO task-executor-20 BackupGenerationServiceImpl - SYSTEM [nsx@6876 comp="nsx-manager" subcomp="manager"] Authenticating with: fingerprint "SHA256:gxjoFPjc62jLhS2RPUXgYjvcsxHrCQT2+Hp3HWncNTI" 2019-06-30T20:37:23.863Z INFO task-executor-20 GenerationUtilities - SYSTEM [nsx@6876 comp="nsx-manager" subcomp="manager"] Creating remote directory sftp://192.168.70.50:22/tmp/cluster-node-backups 2019-06-30T20:37:23.867Z INFO task-executor-20 NapiBackupGenerationServiceImpl - SYSTEM [nsx@6876 comp="nsx-manager" subcomp="manager"] Issuing command http://127.0.0.1:7441/api/v1/node/file-store?action=create_remote_directory 2019-06-30T20:37:26.477Z INFO pool-198-thread-1 CorfuDbConnector - - [nsx@6876 comp="nsx-manager" subcomp="manager"] The database seems operational. 2019-06-30T20:37:26.670Z INFO http-nio-127.0.0.1-7440-exec-4 PreAuthenticatedAuthenticationProvider - - [nsx@6876 comp="nsx-manager" subcomp="manager"] User YWRtaW4=. Granted authorities: 'c3VwZXJ1c2Vycw== ' 2019-06-30T20:37:26.670Z INFO http-nio-127.0.0.1-7440-exec-1 PreAuthenticatedAuthenticationProvider - - [nsx@6876 comp="nsx-manager" subcomp="manager"] User admin. Granted authorities: '' 2019-06-30T20:37:26.674Z INFO http-nio-127.0.0.1-7440-exec-1 PreAuthenticatedAuthenticationProvider - - [nsx@6876 comp="nsx-manager" subcomp="manager"] User admin. Granted authorities: '' 2019-06-30T20:37:26.747Z INFO http-nio-127.0.0.1-7440-exec-1 FabricNodeFacadeImpl - - [nsx@6876 comp="nsx-manager" subcomp="manager"] Listing nodes with request parameters NodeListRequestParametersDto= { , pageSize: 1000, sortAscending: null } 2019-06-30T20:37:26.800Z WARN http-nio-127.0.0.1-7440-exec-4 FacadeInterceptorHelperImpl - - [nsx@6876 comp="nsx-manager" subcomp="manager"] API result did not pass validationField level validation errors: {value backup of property operation_type is not one of the allowed values [NONE, BACKUP]} 2019-06-30T20:37:26.811Z INFO http-nio-127.0.0.1-7440-exec-4 AuditingServiceImpl - SYSTEM [nsx@6876 audit="true" comp="nsx-manager" reqId="349ccc02-1080-4927-8353-508ce18053e4" subcomp="manager"] UserName="admin", ModuleName="BackupConfiguration", Operation="GetBackupStatus", Operation status="success" 2019-06-30T20:37:27.152Z INFO http-nio-127.0.0.1-7440-exec-1 FabricNodeFacadeImpl - - [nsx@6876 comp="nsx-manager" subcomp="manager"] List node result returned with size 5 2019-06-30T20:37:27.161Z INFO http-nio-127.0.0.1-7440-exec-1 AuditingServiceImpl - FABRIC [nsx@6876 audit="true" comp="nsx-manager" reqId="b8df962f-cb31-490f-9654-6017d57be37a" subcomp="manager"] UserName="admin", ModuleName="FabricNode", Operation="ListNodes", Operation status="success", New value=[{"page_size":1000}] 2019-06-30T20:37:27.179Z INFO http-nio-127.0.0.1-7440-exec-5 PreAuthenticatedAuthenticationProvider - - [nsx@6876 comp="nsx-manager" subcomp="manager"] User admin. Granted authorities: '' 2019-06-30T20:37:27.179Z INFO http-nio-127.0.0.1-7440-exec-5 PreAuthenticatedAuthenticationProvider - - [nsx@6876 comp="nsx-manager" subcomp="manager"] User admin. Granted authorities: '' 2019-06-30T20:37:27.260Z INFO http-nio-127.0.0.1-7440-exec-5 AuditingServiceImpl - SYSTEM [nsx@6876 audit="true" comp="nsx-manager" reqId="c7ebebc5-b933-4f96-8884-c960b49e7153" subcomp="manager"] UserName="admin", ModuleName="ClusterManagement", Operation="ListClusterNodeConfigs", Operation status="success" 2019-06-30T20:37:28.456Z ERROR task-executor-20 NapiBackupGenerationServiceImpl - SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP29256" subcomp="manager"] org.springframework.web.client.HttpClientErrorException: 400 Bad Request at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:94) ~[spring-web-5.0.8.RELEASE.jar:5.0.8.RELEASE] at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:79) ~[spring-web-5.0.8.RELEASE.jar:5.0.8.RELEASE] at org.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63) ~[spring-web-5.0.8.RELEASE.jar:5.0.8.RELEASE] at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:766) ~[spring-web-5.0.8.RELEASE.jar:5.0.8.RELEASE] at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:724) ~[spring-web-5.0.8.RELEASE.jar:5.0.8.RELEASE] at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:680) ~[spring-web-5.0.8.RELEASE.jar:5.0.8.RELEASE] at org.springframework.web.client.RestTemplate.postForEntity(RestTemplate.java:466) ~[spring-web-5.0.8.RELEASE.jar:5.0.8.RELEASE] at com.vmware.nsx.management.backup.service.impl.NapiBackupGenerationServiceImpl.callHelper(NapiBackupGenerationServiceImpl.java:272) ~[backup-1.0.jar:?] at com.vmware.nsx.management.backup.service.impl.NapiBackupGenerationServiceImpl.callHelper(NapiBackupGenerationServiceImpl.java:242) ~[backup-1.0.jar:?] at com.vmware.nsx.management.backup.service.impl.NapiBackupGenerationServiceImpl.createRemoteDirectory(NapiBackupGenerationServiceImpl.java:496) ~[backup-1.0.jar:?] at com.vmware.nsx.management.backup.impl.GenerationUtilities.createRemotePathTo(GenerationUtilities.java:167) ~[backup-1.0.jar:?] at com.vmware.nsx.management.backup.service.impl.BackupGenerationServiceImpl.createAndUploadFullClusterBackup(BackupGenerationServiceImpl.java:207) ~[backup-1.0.jar:?] at com.vmware.nsx.management.backup.facade.BackupConfigurationFacadeImpl.requestOnetimeBackup_aroundBody0(BackupConfigurationFacadeImpl.java:91) ~[backup-1.0.jar:?] at com.vmware.nsx.management.backup.facade.BackupConfigurationFacadeImpl$AjcClosure1.run(BackupConfigurationFacadeImpl.java:1) ~[backup-1.0.jar:?] at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) ~[aspectjtools-1.8.13.jar:?] at com.vmware.nsx.management.container.application.FacadeInterceptorHelperImpl.proceed_aroundBody0(FacadeInterceptorHelperImpl.java:211) ~[nsx-framework-1.0.jar:?] at com.vmware.nsx.management.container.application.FacadeInterceptorHelperImpl.proceed_aroundBody1$advice(FacadeInterceptorHelperImpl.java:87) ~[nsx-framework-1.0.jar:?] at com.vmware.nsx.management.container.application.FacadeInterceptorHelperImpl.proceed_aroundBody2(FacadeInterceptorHelperImpl.java:1) ~[nsx-framework-1.0.jar:?] at com.vmware.nsx.management.container.application.FacadeInterceptorHelperImpl.proceed_aroundBody3$advice(FacadeInterceptorHelperImpl.java:87) ~[nsx-framework-1.0.jar:?] at com.vmware.nsx.management.container.application.FacadeInterceptorHelperImpl.proceed(FacadeInterceptorHelperImpl.java:1) ~[nsx-framework-1.0.jar:?] at com.vmware.nsx.management.container.application.FacadeInterceptorHelperImpl.proceed(FacadeInterceptorHelperImpl.java:364) ~[nsx-framework-1.0.jar:?] at com.vmware.nsx.management.common.api.FacadeInterceptorAspect.annotatedMethod(FacadeInterceptorAspect.java:73) ~[common-1.0.jar:?] at com.vmware.nsx.management.backup.facade.BackupConfigurationFacadeImpl.requestOnetimeBackup(BackupConfigurationFacadeImpl.java:90) ~[backup-1.0.jar:?] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_192] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_192] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_192] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_192] at com.vmware.nsx.management.common.api.task.AsyncApiTask.execute(AsyncApiTask.java:49) ~[common-1.0.jar:?] at com.vmware.nsx.management.common.api.task.TrackableTask.run(TrackableTask.java:89) ~[common-1.0.jar:?] at com.vmware.nsx.management.common.executor.TaskExecutorImpl$TaskWrapper$1.run(TaskExecutorImpl.java:238) ~[common-1.0.jar:?] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) ~[?:1.8.0_192] at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[?:1.8.0_192] at com.vmware.nsx.management.common.executor.TaskExecutorImpl$TaskWrapper.run(TaskExecutorImpl.java:271) ~[common-1.0.jar:?] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[?:1.8.0_192] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ~[?:1.8.0_192] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_192] 2019-06-30T20:37:28.491Z ERROR task-executor-20 NapiBackupGenerationServiceImpl - SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP99" subcomp="manager"] Unknown response code 36209 2019-06-30T20:37:28.491Z ERROR task-executor-20 BackupGenerationServiceImpl - SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP99" subcomp="manager"] Cluster backup had error 2019-06-30T20:37:28.507Z INFO task-executor-20 PrincipalOwnerValidator - - [nsx@6876 comp="nsx-manager" subcomp="manager"] XXX Principal 'admin' attempts to delete or modify an unprotected object of type BackupOperationHistory. (createUser=system) 2019-06-30T20:37:28.688Z ERROR task-executor-20 BackupConfigurationFacadeImpl - - [nsx@6876 comp="nsx-manager" errorCode="MP99" s2comp="backup-restore" subcomp="manager"] Cluster backup failed with Status [status=GENERIC_ERROR, statusDetail=Error negotiating with remote host: Unable to negotiate with 192.168.70.50 port 22: no matching MAC found. Their offer: hmac-md5 Couldn't read packet: Connection reset by peer, startTime=1561927043865, endTime=1561927048491]. 2019-06-30T20:37:28.688Z ERROR task-executor-20 BackupConfigurationFacadeImpl - - [nsx@6876 comp="nsx-manager" errorCode="MP99" subcomp="manager"] Status [status=GENERIC_ERROR, statusDetail=Error negotiating with remote host: Unable to negotiate with 192.168.70.50 port 22: no matching MAC found. Their offer: hmac-md5
SSH Fails since there is no no matching key exchange method found:
root@nsxtmgr03:~# nc -zv 192.168.70.50 22 Connection to 192.168.70.50 22 port [tcp/ssh] succeeded! root@nsxtmgr03:~# ssh root@192.168.70.50 Unable to negotiate with 192.168.70.50 port 22: no matching MAC found. Their offer: hmac-md5 root@nsxtmgr03:~# ssh -vvv root@192.168.70.50 OpenSSH_7.2p2 Ubuntu-4ubuntu2.6, OpenSSL 1.0.2p-fips 14 Aug 2018 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: resolving "192.168.70.50" port 22 debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to 192.168.70.50 [192.168.70.50] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_rsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.6 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.8 debug1: match: OpenSSH_7.8 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to 192.168.70.50:22 as 'root' debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys from 192.168.70.50 debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512 debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512 debug2: compression ctos: none,zlib@openssh.com,zlib debug2: compression stoc: none,zlib@openssh.com,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: MACs ctos: hmac-md5 debug2: MACs stoc: hmac-md5 debug2: compression ctos: none debug2: compression stoc: none debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256@libssh.org debug1: kex: host key algorithm: ecdsa-sha2-nistp256 Unable to negotiate with 192.168.70.50 port 22: no matching MAC found. Their offer: hmac-md5
For a successful connection, there must be at least one mutually-supported choice for each parameter.
If the client and server are unable to agree on a mutual set of parameters then the connection will fail. OpenSSH (7.0 and greater) will produce an error message like this:
Unable to negotiate with legacyhost: no matching key exchange method found. Their offer: hmac-md5
In this scenario, NSX-T Manager supports the following ciphers/MACs:
root@nsxtmgr03:~# ssh -Q cipher 3des-cbc blowfish-cbc cast128-cbc arcfour arcfour128 arcfour256 aes128-cbc aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com root@nsxtmgr03:~# ssh -Q mac hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 hmac-md5 hmac-md5-96 hmac-ripemd160 hmac-ripemd160@openssh.com umac-64@openssh.com umac-128@openssh.com hmac-sha1-etm@openssh.com hmac-sha1-96-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-md5-etm@openssh.com hmac-md5-96-etm@openssh.com hmac-ripemd160-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com
The SFTP Server only supports the following ciphers/MACs:
root@photon-machine [ /etc ]# sshd -T | grep "(ciphers|macs)" ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com macs hmac-md5
This is a typical failure, where either available ciphers or MAC don’t match what was offered. The solution is to enable additional MACs on the SFTP Server, which is currently setup to support only the weaker hmac-md5 MAC method, which is not supported by NSX-T Manager.
In summary, by using the NSX-T MAnager CLI, to initiate the SSH and SFTP sessions in verbose mode, and by reviewing NSX-T Manager logs, we were able identify root cause of the “backup operation unknown error”, as reported by the UI.