IP Based CI Discovery in Azure and AWS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-12-2025 03:31 PM
Hi All,
I recently configured a mid server in Azure (Azure registration was done earlier to discover cloud resources). I am looking to discover CIs using IP based discovery within Azure.
I just ran manual discovery on one of the Azure subnets and it did not discover any new CIs - receiving classification errors - For Windows - Active couldn't classify - No WMI connection, for Unix - Active, Couldnt Classify (Cannot connect, status is SSH_CONNECTION_FAILURE. Could not agree on key exchange algorithm) or Interactive Probe Shell - Active, Couldn't classify, etc.
I am wondering if I missed something - like configuring separate WMI, SSH, SNMP credentials for Azure, AWS like we did for on-prem devices (successfully discovering CIs).
The weird part is, some Windows Servers that were discovered earlier (after Azure registration, are getting updated successfully. However, new CIs are not being discovered. I am fairly new to ServiceNow Discovery and your help in this matter is highly appreciated!
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-13-2025 01:09 PM
Hi Nikhil,
The issue you’re encountering, specifically the error SSH_CONNECTION_FAILURE. Could not agree on key exchange algorithm, is likely due to a mismatch between the SSH algorithms supported by the MID Server and the target servers. Here’s how you can address this:
- Understand the Default SSH Algorithms
The MID Server uses a prioritized list of SSH algorithms for key exchange, host key, cipher, and MAC during the SSH handshake. If the target server does not support any of the algorithms in the MID Server’s list, the connection will fail.
Default supported algorithms by the MID Server include:
- Key Exchange Algorithms: ecdh-sha2-nistp256, diffie-hellman-group14-sha256, etc.
- Host Key Algorithms: ssh-ed25519, rsa-sha2-512, etc.
- Cipher Algorithms: aes128-ctr, aes256-cbc, etc.
- MAC Algorithms: hmac-sha2-256, hmac-sha1, etc.
For a full list of supported algorithms, refer to the documentation:
https://docs.servicenow.com/bundle/sandiego-servicenow-platform/page/product/mid-server/reference/mi...
- Troubleshooting Steps
- Verify Target Server SSH Configuration
Ensure that the target server supports at least one of the algorithms in the MID Server’s default list. If the server is using older or deprecated algorithms (e.g., SHA-1), you may need to update its SSH configuration to support modern algorithms like SHA-256.
- Customize MID Server SSH Algorithm Priority
If updating the target server is not feasible, you can customize the MID Server’s SSH algorithm priority list to include the algorithms supported by the target server. Use the following MID Server properties to modify the algorithm lists:
- mid.ssh.algorithms.kex (Key Exchange Algorithms)
- mid.ssh.algorithms.host_key (Host Key Algorithms)
- mid.ssh.algorithms.cipher (Cipher Algorithms)
- mid.ssh.algorithms.mac (MAC Algorithms)
For example, to add support for older algorithms, you can use the + operator to append them to the default list. Refer to the documentation for syntax:
https://docs.servicenow.com/bundle/sandiego-servicenow-platform/page/product/mid-server/reference/mi...
- Test Connectivity
After making changes, test the connection by running a Quick Discovery on the target server’s IP address. Check the Discovery logs for any remaining errors.
- Additional Resources
For more information and troubleshooting, you can refer to the following:
- ServiceNow Community Post:
This post discusses similar SSH connection issues and provides insights into resolving them:
https://www.servicenow.com/community/itom-forum/cannot-connect-status-is-ssh-connection-failure-coul... - ServiceNow Knowledge Base Article:
Detailed steps for troubleshooting SSH connection issues:
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0829950
- Next Steps
- Update the target server’s SSH configuration or customize the MID Server’s algorithm list as needed.
- Test the changes using Quick Discovery.
- If the issue persists, review the Discovery logs for additional details
If you believe the solution provided has adequately addressed your query, could you please **mark it as 'Helpful'** and **'Accept it as a Solution'**? This will help other community members who might have the same question find the answer more easily.
Thank you for your consideration.
Selva Arun
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-25-2025 12:08 PM
Thank you so much for the quick response Selva. The SSH is an example of the issues I am encountering. The broader question is - do I need to configure a separate set of credentials (WMI, SSH) for Azure and AWS? I have those configured (and working) for non-cloud environment. Is it possible to extend the scope of these credentials to discover CIs in the Cloud environment? Thanks!