topic Re: C9800-40 Crypto Log in Wireless

C9800-40 Crypto Log

김성진 — Mon, 06 Mar 2023 01:07:49 GMT

Hello,

The following log appears on the 9800 device. Is there a cause and solution?

%CRYPTO_ENGINE-4-CSDL_COMPLIANCE_RSA_WEAK_KEYS: RSA keypair CISCO_IDEVID_SUDI_LEGACY is in violation of Cisco security compliance guidelines and will be rejected by future releases.

Model : C9800-40 2EA HA

Version : 17.6.5

Re: C9800-40 Crypto Log

Mark Elsen — Mon, 06 Mar 2023 13:44:41 GMT

- Review the 9800 device configuration with the CLI command : show tech wireless , have the output analyzed by https://cway.cisco.com/tools/WirelessAnalyzer/ , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer. You may get more insights as to where this message is applicable , or why it occurs ,
Also post the output of : show wireless mobility summary

Re: C9800-40 Crypto Log

balaji.bandi — Mon, 06 Mar 2023 08:32:35 GMT

Looks to me like some SSH keys issue looking at the errors

can you post show IP ssh and show ssh ( also trust point config smart license here)

Re: C9800-40 Crypto Log

Rich R — Mon, 06 Mar 2023 15:07:51 GMT

So CSDL is the Cisco Secure Development Lifecycle. I cannot find the IOS changes well documented anywhere (there is a more general CSDL blog) but at some point recently they introduced these changes to IOS-XE to try to remove all use of legacy hashes and ciphers and only allow the latest and strongest. Suffice to say it was a disaster and prevented thousands of customers from upgrading IOS because it blocked all sorts of config which simply couldn't be updated overnight because of compatibility with other equipment and software which doesn't support the latest options. As a result numerous different bugs have raised to address this and eventually in 17.6.4 they warned (and created exceptions) but did not block most legacy config. Finally in 17.6.5 (also in 17.9.1) there is an undocumented (but still appears in numerous of Cisco's own config examples) line of config which completely disables CSDL (because it was still blocking a few odd things and they probably got tired of raising bugs to fix each one). The change is implemented by https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvy60839 and the line of config (not even mentioned in the bug itself) is "crypto engine compliance shield disable"

So on the one hand you should be moving to avoid using legacy (insecure) options like MD5/DES/3DES/SHA1 etc but in the meantime if you don't want to see those warnings then use that command. It usually requires a reload to take effect but if it's not causing you any problems you can configure it and wait till the next planned reload.

Note that the above is my opinions and what I've pieced together myself from various sources of info and observations and personal experience of half a router config disappearing when trying to upgrade before 17.6.4. It seems the feature was not thought through very well before adding to IOS-XE and there have been multiple rounds of clean-up ever since.

Also take a look at https://bst.cisco.com/bugsearch/bug/CSCvd45116 and make sure you are using SSH key with strong modulus (at least 2048 - recommend 4096).