Re: Nexus 93180 FIPS issue.

jegirbach · ‎09-16-2020

When we enable FIPS on our Nexus 93180LC-EX after reload we are unable to SSH into the box. We have to console into the box and remove the FIPS command in order to get back into the box via SSH.

Has anyone else experienced this issue before? Are we doing something wrong when enabling FIPS?

I will not be able to send outputs from this box since it is on the high side.

Thank you

Jason

balaji.bandi · ‎09-16-2020

Not sure i re-collect correctly - there is pre-requisites.

Prerequisitesfor FIPSFIPS has the followingprerequisites:• DisableTelnet. Users shouldlog in using SecureShell (SSH) only.• DisableSNMPv1andv2.AnyexistinguseraccountsonthedevicethathavebeenconfiguredforSNMPv3shouldbe configuredonly with SHA for authenticationand AES/3DESfor privacy.• Delete all SSH server RSA1 key-pairs.ConfiguringFIPS3ConfiguringFIPSVirtualizationSupportfor FIPS

. EnableHMAC-SHA1messageintegritychecking(MIC) for use during the Cisco TrustSecSecurityAssociationProtocol(SAP)negotiation.Todoso,enterthesaphash-algorithmHMAC-SHA-1commandfrom the cts-manualor cts-dot1xmode. Note that this commandis not supportedfor F1 Series or F2Series modules

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6-x/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6-x_chapter_011.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

JJ6326 · ‎04-06-2021

Did you ever fix this issue? None of our Nexus devices ssh/scp/authentication work after enabling FIPS mode.

BradBoyce96996 · ‎03-14-2022

I ran into the same issue. Was there a fix?