SSH Mismatch while deploying Ansible

[castrojuanj]

Hello, i'm nuts about this error

TASK [Deploy initial configuration] **************************************************************************************************
included: /usr/local/lib/python3.13/dist-packages/netsim/ansible/tasks/deploy-config/ios.yml for DIST1, DIST2, DIST3

TASK [ios_config: deploying initial from /usr/local/lib/python3.13/dist-packages/netsim/ansible/templates/initial/ios.j2] ************
fatal: [DIST2]: FAILED! => changed=false
msg: 'ssh connection failed: ssh connect failed: kex error : no match for method kex algos: server [diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1], client [curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256]'

I know is a mistach key exch method , i've tweaked the .netlab.yml changing this method but the error persist

jjc@debian:~/netlab/test_lab$ cat ~/.netlab.yml

devices.iosxr.clab.image: ios-xr/xrd-control-plane:25.1.1
devices.iosvl2.clab.image: asifsyd/cisco_viosl2:15.2
devices.iosv.clab.image: asifsyd/cisco_vios:15.9.3M6
devices.ioll2.clab.image: asifsyd/cisco_iol:l2-17.12.01
devices.iol.clab.image: asifsyd/cisco_iol:17.12.01

devices.iosv.group_vars.netlab_ssh_args: "-o KexAlgorithms=+diffie-hellman-group14-sha1 -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa"

---

Any clue ?

[ipspace]

Ansible has its own Python interface to OpenSSH libraries and usually manages to work with the ancient Cisco IOS crypto algorithms without tweaks to netlab_ssh_args variable (which is also set by default to work with those ancient algorithms for quite a while). That module is installed automatically with netlab install ansible.

So:

• Which Debian release are you using (I'm assuming you're using Debian based on the CLI prompt you included)?
• Which netlab version are you using?
• How did you install Ansible?

[castrojuanj]

Ansible has its own Python interface to OpenSSH libraries and usually manages to work with the ancient Cisco IOS crypto algorithms without tweaks to netlab_ssh_args variable (which is also set by default to work with those ancient algorithms for quite a while). That module is installed automatically with netlab install ansible.

So:

* Which Debian release are you using (I'm assuming you're using Debian based on the CLI prompt you included)?

Linux debian 6.12.48+deb13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.48-1 (2025-09-20) x86_64 GNU/Linux

* Which netlab version are you using?

jjc@debian:~/netlab/nso_lab$ netlab version
netlab version 25.09-post1
executable location: /usr/local/bin/netlab
package location: ['/usr/local/lib/python3.13/dist-packages/netsim']
user defaults: ['/home/jjc/.netlab.yml']

Required packages:
Cannot find python-box version
Cannot find Jinja2 version
Cannot find PyYAML version
Cannot find netaddr version
Cannot find ruamel.yaml version
Cannot find ansible-core version

(Could the remarked one be the issue ?)

jjc@debian:~/netlab/nso_lab$

* How did you install Ansible?

I think it was via the script

[ipspace]

So, I set up a brand new Debian 13 VM (great fun because nobody builds Vagrant boxes anymore, I finally found "cloud-image/debian-13"), installed networklab as a system package, used netlab to install ubuntu, containerlab and ansible, and started a lab with an IOL container, and it all worked out of the box.

I have no idea how your Debian setup differs from what the author of the Vagrant box claims to be the default Debian cloud image (https://portal.cloud.hashicorp.com/vagrant/discover/cloud-image/debian-13). You might try to do "ssh -Q kex" to see whether the Cisco's old algorithms are available on your machine. Here's what I got:

vagrant@localhost:~/test$ ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
[email protected]
sntrup761x25519-sha512
[email protected]
mlkem768x25519-sha256

[castrojuanj]

Sir, i really appreciate the time you've sent on this.

I''ve found a fix changing the ansible ssh lib from libssh to paramiko

(netlab) jjc@debian:~/netlab/test_lab$ export ANSIBLE_NETWORK_CLI_SSH_TYPE=paramiko
(netlab) jjc@debian:~/netlab/test_lab$ netlab up

TASK [ios_config: deploying initial from /home/jjc/netlab/lib/python3.13/site-packages/netsim/ansible/templates/initial/ios.j2] ***
[WARNING]: To ensure idempotency and correct diff the input configuration lines should be
similar to how they appear if present in the running configuration on device including the
indentation
changed: [DIST3]
changed: [DIST2]
changed: [DIST1]

PLAY [Deploy module-specific configurations] *************************************************
skipping: no hosts matched

PLAY [Deploy custom deployment templates] ****************************************************
skipping: no hosts matched

PLAY RECAP ***********************************************************************************
DIST1 : ok=17 changed=1 unreachable=0 failed=0 skipped=5 rescued=0 ignored=0
DIST2 : ok=16 changed=1 unreachable=0 failed=0 skipped=5 rescued=0 ignored=0
DIST3 : ok=16 changed=1 unreachable=0 failed=0 skipped=5 rescued=0 ignored=0

[SUCCESS] Lab devices configured

[WARNING] The following warnings were generated during the 'netlab up' processing
[WARNING] ospf: DIST1 does not use ospf on any non-loopback interface or VRF
[WARNING] ospf: DIST2 does not use ospf on any non-loopback interface or VRF
[WARNING] ospf: DIST3 does not use ospf on any non-loopback interface or VRF
(netlab) jjc@debian:~/netlab/test_lab$ netlab connect DIST1
Connecting to clab-testlab-DIST1 using SSH port 22

DIST1#sh ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.0.0.15 YES manual up up
Loopback0 10.0.0.1 YES manual up up
DIST1#exit
(netlab) jjc@debian:~/netlab/test_lab$ netlab connect DIST2
Connecting to clab-testlab-DIST2 using SSH port 22

DIST2#sh ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.0.0.15 YES manual up up
Loopback0 10.0.0.2 YES manual up up
DIST2#exit
(netlab) jjc@debian:~/netlab/test_lab$

DIST3#sh ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.0.0.15 YES manual up up
Loopback0 10.0.0.3 YES manual up up
DIST3#

[ipspace]

I''ve found a fix changing the ansible ssh lib from libssh to paramiko

(netlab) jjc@debian:~/netlab/test_lab$ export ANSIBLE_NETWORK_CLI_SSH_TYPE=paramiko (netlab) jjc@debian:~/netlab/test_lab$ netlab up

Nice, thanks for letting me know. Will add as another thing to try to the documentation.

[jbemmel]

ssh_type string | The python package that will be used by the network_cli connection plugin to create a SSH connection to remote host.libssh will use the ansible-pylibssh package, which needs to be installed in order to work.paramiko will instead use the paramiko package to manage the SSH connection.auto will use ansible-pylibssh if that package is installed, otherwise will fallback to paramiko.Choices:"libssh""paramiko""auto" ← (default) -- | --

Looks like presence of the ansible-pylibssh package triggers different behavior