07-29-2017 08:41 PM - edited 03-12-2019 02:45 AM
Installed a new Nexus 9k core and ASA 5525-X today and wasn't able to SSH from the Nexus to the ASA. We get the following error:
nex9k-01# ssh 10.x.x.x <-- Inside interface of ASA
Unable to negotiate with 10.x.x.x port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
Running latest gold-star code on the ASA 9.6(3)1 and Nexus 7.0(3)I4(6)
We are able to SSH to the ASA's inside interface when we connect via AnyConnect, just not from the Nexus.
Doesn't look like there's anyway to change to key offered on the ASA. Is there anyway to make the Nexus accept group1-sha1?
07-29-2017 10:40 PM
Hi,
On ASA you can change the ciphers.
Check the output of show run all
Post that you can also take an output of
Regards,
Aditya
Please rate helpful and mark correct answers
07-30-2017 04:49 AM
There is a known issue with some recent NX-OS versions where they cannot negotiate what they consider a weak cipher when acting as an ssh client - such as you are trying. It is an issue of ctr vs. cbc mode. New NX-OS only supports the stronger ctr mode.
Reference: http://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/200663-Unable-to-SSH-into-Nexus-9K-fatal.html
From your ASA type "show ssh". Make sure you have both cbc and ctr encryption types listed.
Alternatively (though not recommended) you can re-enable weak ciphers on the Nexus as described in the tech note link.
07-30-2017 04:28 PM
Here's output from the ASA for show ssh and show run all ssl
asa-01/pri/act# show ssh
Idle Timeout: 30 minutes
Versions allowed: 1 and 2
Cipher encryption algorithms enabled: aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr
Cipher integrity algorithms enabled: hmac-sha1 hmac-sha1-96
Hosts allowed to ssh into the system:
0.0.0.0 0.0.0.0 inside
asa-01/pri/act#
Is the probem with the encryption (cbc vs. crt) or integrity algorithm (sha1)? If it's with the encryption, is there any way to prefer the stronger crt?
asa-01/pri/act#
asa-01/pri/act# sh run all ssl
ssl server-version tlsv1
ssl client-version tlsv1
ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl dh-group group2
ssl ecdh-group group19
ssl certificate-authentication fca-timeout 2
asa-01/pri/act#
Not sure how to interpret the output above from the show run all ssl command.
I wasn't able to do a debug ip ssh on the Nexus (see below)
nex9k-01# debug ip ssh ?
^
% Invalid command at '^' marker.
07-30-2017 10:17 PM
You can do a packet capture on the ASA filtering for the Nexus' source address. Then initiate the session and watch for the traffic.
Once you get the failure stop the capture and decode the captured traffic. Share that if you are able.
07-30-2017 05:17 AM
Hi,
Adding to what Marvin explained you can refer to the following enhancements:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuv39937/?reffering_site=dumpcr
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCun41202/?reffering_site=dumpcr
Regards,
Aditya
Please rate helpful and mark correct answers
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: