Unable to SSH from Nexus 9k to ASA - no matching key exchange

rlyons989 · ‎07-29-2017

Installed a new Nexus 9k core and ASA 5525-X today and wasn't able to SSH from the Nexus to the ASA. We get the following error:

nex9k-01# ssh 10.x.x.x <-- Inside interface of ASA
Unable to negotiate with 10.x.x.x port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Running latest gold-star code on the ASA 9.6(3)1 and Nexus 7.0(3)I4(6)

We are able to SSH to the ASA's inside interface when we connect via AnyConnect, just not from the Nexus.

Doesn't look like there's anyway to change to key offered on the ASA. Is there anyway to make the Nexus accept group1-sha1?

Aditya Ganjoo · ‎07-29-2017

Hi,

On ASA you can change the ciphers.

Check the output of show run all ssl command and that would give you the ciphers enabled on it.

Post that you can also take an output of debug ip ssh on the Nexus to check what is being sent by the Nexus during the SSH negotiation.

Regards,

Aditya

Please rate helpful and mark correct answers

Marvin Rhoads · ‎07-30-2017

There is a known issue with some recent NX-OS versions where they cannot negotiate what they consider a weak cipher when acting as an ssh client - such as you are trying. It is an issue of ctr vs. cbc mode. New NX-OS only supports the stronger ctr mode.

Reference: http://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/200663-Unable-to-SSH-into-Nexus-9K-fatal.html

From your ASA type "show ssh". Make sure you have both cbc and ctr encryption types listed.

Alternatively (though not recommended) you can re-enable weak ciphers on the Nexus as described in the tech note link.

rlyons989 · ‎07-30-2017

Here's output from the ASA for show ssh and show run all ssl

asa-01/pri/act# show ssh
Idle Timeout: 30 minutes
Versions allowed: 1 and 2
Cipher encryption algorithms enabled: aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr
Cipher integrity algorithms enabled: hmac-sha1 hmac-sha1-96

Hosts allowed to ssh into the system:
0.0.0.0 0.0.0.0 inside

asa-01/pri/act#

Is the probem with the encryption (cbc vs. crt) or integrity algorithm (sha1)? If it's with the encryption, is there any way to prefer the stronger crt?

asa-01/pri/act#
asa-01/pri/act# sh run all ssl
ssl server-version tlsv1
ssl client-version tlsv1
ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl dh-group group2
ssl ecdh-group group19
ssl certificate-authentication fca-timeout 2
asa-01/pri/act#

Not sure how to interpret the output above from the show run all ssl command.

I wasn't able to do a debug ip ssh on the Nexus (see below)

nex9k-01# debug ip ssh ?
^
% Invalid command at '^' marker.

Marvin Rhoads · ‎07-30-2017

You can do a packet capture on the ASA filtering for the Nexus' source address. Then initiate the session and watch for the traffic.

Once you get the failure stop the capture and decode the captured traffic. Share that if you are able.

Aditya Ganjoo · ‎07-30-2017

Hi,

Adding to what Marvin explained you can refer to the following enhancements:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuv39937/?reffering_site=dumpcr

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCun41202/?reffering_site=dumpcr

Regards,

Aditya

Please rate helpful and mark correct answers