I'm using Telnet, as we don't have 3DES license, but DES.

The PIX version is 6.2.2 , not 6.2.1 . Do you know if the bug also happens with this version? It looks like that.

Why would you need a 3DES license on the PIX? We use ssh all the time to connect to our Pix's and are running a single DES license. I would suggest setting up ssh access to the PIX from the IDS and giving it a shot. It should work with the single DES license that you have.

As Sean said, make sure you use the command line as user netrangr and use ssh -l pix -c des first and accept the certificate. Otherwise it will not work.

Right

I can connect from command . But I guess I should have to configure certain IDS file so that the automatic connection is made using DES, shouldn't ?

Which configuration file is that? I don't have too much knowledge about Solaris

Clarification: The PIX supports DES connections but the 3.0 sensor

does not. There is no configuration file you can edit that will change

this; it requires a sensor application code update. This update will

be forthcoming in the 4.0 sensor. In the meanwhile, you have 3

options:

1. Obtain the nr.managed engineering build described elsewhere on

this thread and continue to use Telnet to connect to the PIX.

2. Upgrade your PIX license to 3DES and use SSH to connect.

3. Open a TAC case and request an engineering build of nr.managed

that supports DES.

i´m with you m-raft. i think it should work, but i get another error:

syslog on my 6.2.2 pix:

%PIX-6-315011: SSH session from 1.1.1.1 on interface inside for user "" disconnected by SSH server, reason: "Invalid message length" (0x00)

the "debug ssh" output shows, that DES connection is established, but a data packetis too long:

25: SSH: Device opened successfully.

26: SSH: host key initialised

27: SSH1: SSH client: IP = '1.1.1.1' interface # = 1

28: SSH1: starting SSH control process

29: SSH1: Exchanging versions - SSH-1.5-Cisco-1.25

30: SSH1: send SSH message: outdata is NULL

31: SSH1: receive SSH message: 83 (83)

32: SSH1: client version is - SSH-1.5-OpenSSH_3.1p1

33: SSH1: begin server key generation

34: SSH1: complete server key generation, elapsed time = 530 ms

35: SSH1: declare what cipher(s) we support: 0x00 0x00 0x00 0x04

36: SSH1: send SSH message: SSH_SMSG_PUBLIC_KEY (2)

37: SSH1: SSH_SMSG_PUBLIC_KEY message sent

38: SSH1: receive SSH message: SSH_CMSG_SESSION_KEY (3)

39: SSH1: SSH_CMSG_SESSION_KEY message received - msg type 0x03, length 144

40: SSH1: client requests DES cipher: 2

41: SSH1: send SSH message: SSH_SMSG_SUCCESS (14)

42: SSH1: keys exchanged and encryption on

43: SSH1: incoming data packet too long: data len (1466004078) + padding = 1466004080 > max (6152)

44: SSH1: big packet received during session setup (state = 4), so drop the connection

45: SSH1: receive SSH message: [no message ID: variable *data is NULL]

46: SSH1: send SSH message: SSH_MSG_DISCONNECT (1)

47: SSH1: Session disconnected by SSH server - error 0x00 "Invalid message length"

what could cause this problem ???

The error occurs because IDS 3.0 sensors can not establish

an SSH connection to a PIX using DES encryption. This problem

will be fixed in the 4.0 sensor. See my other post for alternatives

you can try until then.

The Telnet bug affects all 6.2.x PIX versions.

If you would like to continue using Telnet, you can download the

engineering build of nr.managed from CCO (ask your TAC

contact exactly where to find it and how to install). A future version of

IDS will fix Telnet support, as well as allowing SSH connections to

PIXes that have DES licenses.

I have pix 6.1.4 , and I face this same problem exactly . Does any one know that this problem apply for 6.1.4 version ??