12-08-2015 07:20 AM
I have 2 Cisco 6509's running in a VSS configuration. I am attempting to add this device to my CPI 2.2 and getting the following error:
Nov 16 10:08:14.072 EST: SW1: SSH2 0: kex algo not supported: client diffie-hellman-group14-sha1, server diffie-hellman-group1-sha1
I have added this device to CPI 1.3 successfully and I am able to SSH from my CPI CLI to my 6509 successfully. Anyone else run into this?
Richard
02-11-2016 11:26 AM
I'm also running into this problem with PI 3.0 and recently deployed ASAs ( 9.2(3) ). We are using Group14 going forward.
PI is showing that it is synchronized, managed, and "complete" however it is not taking configuration archives. Running 'debug ssh 1' while it tries to connect results in the following:
SSH2 1: SSH2_MSG_KEXINIT sent
SSH2 1: SSH2_MSG_KEXINIT received
SSH2: kex: client->server 3des-cbc hmac-sha1 none
SSH2: kex: server->client 3des-cbc hmac-sha1 none
SSH2 0: kex algo not supported: client diffie-hellman-group1-sha1, server diffie-hellman-group14-sha1
SSH2 1: ssh: kex_choose_conf errorSSH1: Session disconnected by SSH server - error 0x00 "Internal error"
Device ssh opened successfully.
SSH1: SSH client: IP = '10.xxx.xxx.xxx' interface # = 2
SSH: host key initialised
SSH1: starting SSH control process
SSH1: Exchanging versions - SSH-2.0-Cisco-1.25
02-11-2016 11:43 AM
I have an open TAC case with Cisco, their development team has been chewing on it for a couple of months now. The crux of the issue in my case is my server was stood up with FIPS mode enabled. Need to ping them next week for a status.
02-11-2016 12:11 PM
I just opened a case as well after digging through Google some more. *fingers crossed*
02-11-2016 03:31 PM
Alright, so TAC came back and said it isn't support and that a feature enhancement has been submitted. I was then asked to request it through the Prime GUI.
A quick search on the forums shows this has been an ongoing problem for months, even years.
02-25-2016 05:28 AM
Good news. I worked with one of the developers last week and we did a bunch of testing. They gathered a bunch of debug and trace logs.
They report that this issue should be resolved in the upcoming release.
*Edit* - Bug CSCuy45491 has been filed for the Group14 key-exchange issue. *Edit*
07-12-2016 08:54 AM
We upgraded to Prime Infrastructure 3.1 and I want to report that DH Group14 is still not working.
CSCuy45491 is now public.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide