05-30-2013 04:28 AM - edited 03-11-2019 06:51 PM
I am trying to issue command "ssh key-exchange group dhgroup14" on several of my ASA firewalls. The key-exchange command is failing on 3 of 4 ASA firewalls. According to Cisco documentation, this command was introducted in 8.4. My ASA's are running version 8.6.1.10, 9.1.1.8, 9.1.1.10 and 9.1.2. The command is available only with 9.1.2.
Example from one my ASA.
lbjinetfw# show version | in Version
Cisco Adaptive Security Appliance Software Version 8.6(1)10
Device Manager Version 7.1(2)
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
lbjinetfw# config t
lbjinetfw(config)# ssh
lbjinetfw(config)# ssh ?
configure mode commands/options:
Hostname or A.B.C.D The IP address of the host and/or network authorized to
login to the system
X:X:X:X::X/<0-128> IPv6 address/prefix authorized to login to the system
scopy Secure Copy mode
timeout Configure ssh idle timeout
version Specify protocol version to be supported
exec mode commands/options:
disconnect Specify SSH session id to be disconnected after this keyword
lbjinetfw(config)# ssh key-exchange group dhgroup14
^
ERROR: % Invalid Hostname
lbjinetfw(config)#
Any one else have experience with this command?
05-30-2013 01:12 PM
Hi,
I can only guess.
Cisco does seem to have several different version of the software going.
For example the original ASA models started with 8.3 in the new software. The ASASM started with 8.5. The ASA5500-X series started with 8.6 and the ASA1000V started with 8.7.
This command not being supported by the 8.6 might be explained that its a software only usable on the new ASA5500-X models and if I am not mistaken some versions of 8.6 are actually older than 8.4(5) where the command you mention became available according to some documentation.
Now I have to wonder why for example the first 9.1 softwares dont have this. I would imagine its somehow related to the above and also how Cisco updates its different software levels.
It does seem that you cant follow the logic that the bigger number is always the one that has everything. To be honest the versioning hasnt ever been really clear to me. Especially now when there is so many different hardware models in the ASA family. For example, I think 9.1(1) had already come out and they released 9.0(2) after that.
Here is a document about the compatibility of the different ASA software and hardware (not that it really helps with the issue you are having)
http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html
I can confirm that the mentioned command is available on my home ASA running 8.4(5). Booting up to 9.1(1) shows that the command isnt supported.
- Jouni
05-30-2013 02:18 PM
Yes, this behaviour is quite strange that some features from 8.4 are not available in 9.0. But at least it's clearly documented (from the release-notes):
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
12-16-2015 08:42 AM
Good find Karsten,
That would definitely be why you can't use that command in 3 out of 4 of your ASAs.
This question should now be considered answered.
05-30-2013 03:43 PM
Hello Everyone,
Good guess Jounni,
As he said the problem is due to the fact of how the code releases were implemented,
As a fact: 8.6 and 9.0.1 were built from the 8.4.2 code train,
Regards,
Julio Carvajal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide