Solved: diffie-hellman-group15-sha512 ASA Key Exchange

lallaa108 · ‎12-06-2022

HI

We are using CyberArk PSM-SSH to SSH to ASA. The PSM-SSH application only supports diffie-hellman-group15-sha512. how do I upgrade the Key exchange to diffie-hellman-group15-sha512 (or higher) on an ASA

the Current supported Key exchange groups are

admin(config)# ssh key-exchange group ?

configure mode commands/options:
curve25519-sha256 Diffie-Hellman group-31-sha256
dh-group1-sha1 Diffie-Hellman group 2 (DEPRECATED)
dh-group14-sha1 Diffie-Hellman group-14-sha1
dh-group14-sha256 Diffie-Hellman group-14-sha256
ecdh-sha2-nistp256 Diffie-Hellman group-19-sha256

the version of Software I am running on the ASA is

Cisco Adaptive Security Appliance Software Version 9.16(2)14 <context>
SSP Operating System Version 2.10(1.182)
Device Manager Version 7.16(1)

Kind regards

manabans · ‎12-06-2022

Support has been added for DH group 15 for SSL encryption in version 9.16 ASA code, but not for SSH.
The only available ssh key-exchange groups are as below,
curve25519-sha256
dh-group1-sha1
dh-group14-sha1
dh-group14-sha256
ecdh-sha2-nistp256

Reference: Cisco Secure Firewall ASA New Features by Release
https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html

View solution in original post

manabans · ‎12-06-2022

Support has been added for DH group 15 for SSL encryption in version 9.16 ASA code, but not for SSH.
The only available ssh key-exchange groups are as below,
curve25519-sha256
dh-group1-sha1
dh-group14-sha1
dh-group14-sha256
ecdh-sha2-nistp256

Reference: Cisco Secure Firewall ASA New Features by Release
https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html