cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
777
Views
0
Helpful
6
Replies
Richard Muhr
Beginner

Error Adding device to CPI 2.2

I have 2 Cisco 6509's running in a VSS configuration.  I am attempting to add this device to my CPI 2.2 and getting the following error:

Nov 16 10:08:14.072 EST: SW1: SSH2 0: kex algo not supported: client diffie-hellman-group14-sha1, server diffie-hellman-group1-sha1

I have added this device to CPI 1.3 successfully and I am able to SSH from my CPI CLI to my 6509 successfully. Anyone else run into this?

Richard

6 REPLIES 6
Doug Byrd
Contributor

I'm also running into this problem with PI 3.0 and recently deployed ASAs ( 9.2(3) ).  We are using Group14 going forward.

PI is showing that it is synchronized, managed, and "complete" however it is not taking configuration archives.  Running 'debug ssh 1' while it tries to connect results in the following:

SSH2 1: SSH2_MSG_KEXINIT sent
SSH2 1: SSH2_MSG_KEXINIT received
SSH2: kex: client->server 3des-cbc hmac-sha1 none
SSH2: kex: server->client 3des-cbc hmac-sha1 none
SSH2 0: kex algo not supported: client diffie-hellman-group1-sha1, server diffie-hellman-group14-sha1
SSH2 1: ssh: kex_choose_conf errorSSH1: Session disconnected by SSH server - error 0x00 "Internal error"
Device ssh opened successfully.
SSH1: SSH client: IP = '10.xxx.xxx.xxx' interface # = 2
SSH: host key initialised
SSH1: starting SSH control process
SSH1: Exchanging versions - SSH-2.0-Cisco-1.25

I have an open TAC case with Cisco, their development team has been chewing on it for a couple of months now.  The crux of the issue in my case is my server was stood up with FIPS mode enabled. Need to ping them next week for a status.

I just opened a case as well after digging through Google some more.  *fingers crossed*

Alright, so TAC came back and said it isn't support and that a feature enhancement has been submitted.  I was then asked to request it through the Prime GUI.

A quick search on the forums shows this has been an ongoing problem for months, even years.

Good news.  I worked with one of the developers last week and we did a bunch of testing.  They gathered a bunch of debug and trace logs.

They report that this issue should be resolved in the upcoming release.

*Edit* - Bug CSCuy45491  has been filed for the Group14 key-exchange issue. *Edit*

Doug Byrd
Contributor

We upgraded to Prime Infrastructure 3.1 and I want to report that DH Group14 is still not working.

CSCuy45491 is now public.

Content for Community-Ad