cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
220
Views
0
Helpful
5
Replies
Highlighted
Cisco Employee

Failing to Fetch Host Keys

Hi all,

 

Has anyone encountered this issue before?

 

My configuration:

devices device loncaf-vpn-cluster-1
address loncaf-vpn-cluster-1.cisco.com port 22
device-type cli ned-id cisco-asa protocol ssh
authgroup nso-prd
state admin-state unlocked

 

I am attempting to ssh fetch-host-keys after committing using the NSO CLI however get the following message:

 

dretaylo@ncs(config-device-loncaf-vpn-cluster-1)# ssh fetch-host-keys

result failed

info Failed to connect to device loncaf-vpn-cluster-1: No supported SSH key exchange algorithms

 

Any help would be appreciated!

 

Sincerely,

Drew

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Failing to Fetch Host Keys

This is related to the same issue. NSO tightened up the key exchange algorithms it supports, and that causes problems with some devices who use older algorithms. There are a few possibilities, one is to configure the ASA to use more modern algorithms (not sure if this is possible on ASA, I know it is possible on some devices), another is to try a newer NSO where the requirements have been relaxed slightly again.

View solution in original post

5 REPLIES 5
Highlighted
Cisco Employee

Re: Failing to Fetch Host Keys

Highlighted
Cisco Employee

Re: Failing to Fetch Host Keys

Unfortunately the above doesn't seem to be a fix as I am seeing:

-----BEGIN RSA PRIVATE KEY-----

in my ssh_host_rsa_key file.

 

Could there be an issue if this seems to be coming solely from devices which are ASA OS on FPR hardware?

 

I don't have the issue with the rest of my fleet which are all ASAs on ASA hardware.

Highlighted
Cisco Employee

Re: Failing to Fetch Host Keys

This is related to the same issue. NSO tightened up the key exchange algorithms it supports, and that causes problems with some devices who use older algorithms. There are a few possibilities, one is to configure the ASA to use more modern algorithms (not sure if this is possible on ASA, I know it is possible on some devices), another is to try a newer NSO where the requirements have been relaxed slightly again.

View solution in original post

Highlighted
Cisco Employee

Re: Failing to Fetch Host Keys

Hi Viktor,

 

You are awesome!!! Thank you so much for leading me to the answer! (and nice talking to you again)

 

This is way over my head however I needed to change the ssh key-exchange on the ASAs.

 

Do you know why I am able to use the ssh key-exchange algorithm "dh-group1-sha1" or "dh-group14-sha1" however I cannot use "dh-group14-sha256" on the ASA?

 

Thanks again!

Drew

Highlighted
Cisco Employee

Re: Failing to Fetch Host Keys

What version are you running on your ASAs? It looks like support for dh-group14-sha256 was added in version 9.12, so if you are running an older version than that the option won't be available.