topic Re: Cisco1721 "RSA keys to weak" in Network Security

Cisco1721 "RSA keys to weak"

vanwijk — Fri, 21 Feb 2020 06:24:46 GMT

Hello,

I have a Cisco1721 installed running on "c1700-k9o3sy7-mz.122-8.T5.bin" for our VPN-solution. Everything looks fine in the first place, but there are some difficulties i can not solve at the moment.

Users which are connected to this router have difficulties running Pc-Anywhere over the WAN.

An additional parameter 'no crypto enigine accelerator' is solving this problem.

Now i have problems reaching this Cisco1721 over SSH, it says "RSA keys to weak". At the moment IP-traffic is running quit normal as it seems. But there is something wrong and i do not know what.

It has something to do with the encryption-module, i think !!

Is there any expert out there, who can give me an reasonable answer ??

Best regards

Edwin van Wijk

Re: Cisco1721 "RSA keys to weak"

gfullage — Thu, 05 Dec 2002 02:22:40 GMT

The "no crypto engine accel" command turns off the hardware crypto card in your router, effectively having all encryption done in software by the CPU. There were some initial problems with these cards, but in general now they run fine and you shouldn't have to turn it off for specific traffic types to flow. I would probably suggest opening a TAC case so we can investigate this further.

As for the "RSA keys too weak" message, I presume this is coming up in your SSH client, correct? It must have some parameter in it that checks the length of the key it receives from the router and complains. You can regenerate the key on the router and make it longer by issuing the command:

sv3-5(config)#cry key gen rsa

The name for the keys will be: sv3-5.cisco.com

Choose the size of the key modulus in the range of 360 to 2048 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take

a few minutes.

How many bits in the modulus [512]: 1024

Generating RSA keys ...

[OK]

sv3-5(config)#

You'll have to choose a key length longer than whatever length your SSH application is complaining about, I would think 1024 should suffice though.

Re: Cisco1721 "RSA keys to weak"

vanwijk — Thu, 05 Dec 2002 07:15:07 GMT

Hello,

Thanks for your help, your totally right, but what you have suggested i already did several times.

After generating a new key everything works Ok as it seems, but after powering-off and powering-on this router the problem re-occurs.

I encounter this problem only with 1721-routers.

I now go for your plan B, opening a TAC-case

Best regards

Edwin van Wijk

Re: Cisco1721 "RSA keys to weak"

bmenkveld — Wed, 12 Feb 2003 09:51:48 GMT

Edwin,

I had some problems myself with the 1721 and the vpn accelerator card.

Upgrading to the last T release of the 12.2 train dit solve my problem, maybe it wil solve yours?

Re: Cisco1721 "RSA keys to weak"

vanwijk — Wed, 12 Feb 2003 10:26:15 GMT

Hello,

Yes, it took some time to have the problem solved, because i did not know exactly what was going on.Now we are running on the c1700-k9o3sy7-mz.122-13.T.bin software and the problem was solved.

Thanks for your reaction.

Best regards

Edwin van Wijk