Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1643
Views
0
Helpful
4
Replies

Cisco1721 "RSA keys to weak"

vanwijk
Level 1
Level 1

‎12-04-2002 09:02 AM - edited ‎02-20-2020 10:24 PM

Hello,

I have a Cisco1721 installed running on "c1700-k9o3sy7-mz.122-8.T5.bin" for our VPN-solution. Everything looks fine in the first place, but there are some difficulties i can not solve at the moment.

Users which are connected to this router have difficulties running Pc-Anywhere over the WAN.

An additional parameter 'no crypto enigine accelerator' is solving this problem.

Now i have problems reaching this Cisco1721 over SSH, it says "RSA keys to weak". At the moment IP-traffic is running quit normal as it seems. But there is something wrong and i do not know what.

It has something to do with the encryption-module, i think !!

Is there any expert out there, who can give me an reasonable answer ??

Best regards

Edwin van Wijk

0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎12-04-2002 06:22 PM

The "no crypto engine accel" command turns off the hardware crypto card in your router, effectively having all encryption done in software by the CPU. There were some initial problems with these cards, but in general now they run fine and you shouldn't have to turn it off for specific traffic types to flow. I would probably suggest opening a TAC case so we can investigate this further.

As for the "RSA keys too weak" message, I presume this is coming up in your SSH client, correct? It must have some parameter in it that checks the length of the key it receives from the router and complains. You can regenerate the key on the router and make it longer by issuing the command:

sv3-5(config)#cry key gen rsa

The name for the keys will be: sv3-5.cisco.com

Choose the size of the key modulus in the range of 360 to 2048 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take

a few minutes.

How many bits in the modulus [512]: 1024

Generating RSA keys ...

[OK]

sv3-5(config)#

You'll have to choose a key length longer than whatever length your SSH application is complaining about, I would think 1024 should suffice though.

0 Helpful

vanwijk
Level 1
Level 1
In response to gfullage

‎12-04-2002 11:15 PM

Hello,

Thanks for your help, your totally right, but what you have suggested i already did several times.

After generating a new key everything works Ok as it seems, but after powering-off and powering-on this router the problem re-occurs.

I encounter this problem only with 1721-routers.

I now go for your plan B, opening a TAC-case

Best regards

Edwin van Wijk

0 Helpful

bmenkveld
Level 1
Level 1
In response to vanwijk

‎02-12-2003 01:51 AM

Edwin,

I had some problems myself with the 1721 and the vpn accelerator card.

Upgrading to the last T release of the 12.2 train dit solve my problem, maybe it wil solve yours?

0 Helpful

vanwijk
Level 1
Level 1
In response to bmenkveld

‎02-12-2003 02:26 AM

Hello,

Yes, it took some time to have the problem solved, because i did not know exactly what was going on.Now we are running on the c1700-k9o3sy7-mz.122-13.T.bin software and the problem was solved.

Thanks for your reaction.

Best regards

Edwin van Wijk

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card