Good find Karsten,

rmeans · ‎05-30-2013

I am trying to issue command "ssh key-exchange group dhgroup14" on several of my ASA firewalls. The key-exchange command is failing on 3 of 4 ASA firewalls. According to Cisco documentation, this command was introducted in 8.4. My ASA's are running version 8.6.1.10, 9.1.1.8, 9.1.1.10 and 9.1.2. The command is available only with 9.1.2.

Example from one my ASA.

lbjinetfw# show version | in Version

Cisco Adaptive Security Appliance Software Version 8.6(1)10

Device Manager Version 7.1(2)

Baseboard Management Controller (revision 0x1) Firmware Version: 2.4

lbjinetfw# config t

lbjinetfw(config)# ssh

lbjinetfw(config)# ssh ?

configure mode commands/options:

Hostname or A.B.C.D The IP address of the host and/or network authorized to

login to the system

X:X:X:X::X/<0-128> IPv6 address/prefix authorized to login to the system

scopy Secure Copy mode

timeout Configure ssh idle timeout

version Specify protocol version to be supported

exec mode commands/options:

disconnect Specify SSH session id to be disconnected after this keyword

lbjinetfw(config)# ssh key-exchange group dhgroup14

^

ERROR: % Invalid Hostname

lbjinetfw(config)#

Any one else have experience with this command?

Jouni Forss · ‎05-30-2013

Hi,

I can only guess.

Cisco does seem to have several different version of the software going.

For example the original ASA models started with 8.3 in the new software. The ASASM started with 8.5. The ASA5500-X series started with 8.6 and the ASA1000V started with 8.7.

This command not being supported by the 8.6 might be explained that its a software only usable on the new ASA5500-X models and if I am not mistaken some versions of 8.6 are actually older than 8.4(5) where the command you mention became available according to some documentation.

Now I have to wonder why for example the first 9.1 softwares dont have this. I would imagine its somehow related to the above and also how Cisco updates its different software levels.

It does seem that you cant follow the logic that the bigger number is always the one that has everything. To be honest the versioning hasnt ever been really clear to me. Especially now when there is so many different hardware models in the ASA family. For example, I think 9.1(1) had already come out and they released 9.0(2) after that.

Here is a document about the compatibility of the different ASA software and hardware (not that it really helps with the issue you are having)

http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html

I can confirm that the mentioned command is available on my home ASA running 8.4(5). Booting up to 9.1(1) shows that the command isnt supported.

- Jouni

Karsten Iwen · ‎05-30-2013

Yes, this behaviour is quite strange that some features from 8.4 are not available in 9.0. But at least it's clearly documented (from the release-notes):

Support for Diffie-Hellman Group 14 for the SSH Key Exchange

Support for Diffie-Hellman Group 14 for SSH Key Exchange was added. Formerly, only Group 1 was supported.

We introduced the following command: ssh key-exchange.

This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

martincook1 · ‎12-16-2015

Good find Karsten,

That would definitely be why you can't use that command in 3 out of 4 of your ASAs.

This question should now be considered answered.

Julio Carvajal · ‎05-30-2013

Hello Everyone,

Good guess Jounni,

As he said the problem is due to the fact of how the code releases were implemented,

As a fact: 8.6 and 9.0.1 were built from the 8.4.2 code train,

Regards,

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

SSH Key Exchange DH Group 14