Solved: Re: SSH from Cat9K to Firepower FTD Failing - No matching kex algorithm found

matty-boy · ‎09-07-2020

Hi,

I'm trying to SSH from a Cat9K switch to an firepower FTD.

From the client I get this output:

Switch#ssh -l admin X.X.X.X
[Connection to X.X.X.X aborted: error status 0]

I can ping it and I can telnet to port 22.

Debugging on the client switch shows this:

076735: Sep 7 2020 16:59:32.047 UTC: %SSH-3-NO_MATCH: No matching kex algorithm found: client diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 server curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256

Or to format it a little nicer:

-------------------------------

076735: Sep 7 2020 16:59:32.047 UTC: %SSH-3-NO_MATCH: No matching kex algorithm found:

client

diffie-hellman-group-exchange-sha1
diffie-hellman-group14-sha1

server

curve25519-sha256@libssh.org
ecdh-sha2-nistp521
ecdh-sha2-nistp384
ecdh-sha2-nistp256

-------------------------------

I don't have control of the FTD to make changes.

And I don't appear to be able to add any other algorithms to the client:

Switch(config)#ip ssh client algorithm kex ?
diffie-hellman-group-exchange-sha1 DH_GRPX_SHA1 diffie-hellman key exchange algorithm
diffie-hellman-group14-sha1 DH_GRP14_SHA1 diffie-hellman key exchange algorithm

Switch(config)#

Any ideas?

Thanks in advance,

Matt.

knaik · ‎12-07-2020

Hi,

Its not possible to SSH from Cat9K to FTD as the cipher suites does not match.

Debug on FTD:

fatal: Unable to negotiate with 10.3.62.3 port 37893: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]

Debug on Switch:

No matching mac found: client hmac-sha1,hmac-sha1-96 server hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com

View solution in original post

balaji.bandi · ‎09-07-2020

Can you post below output from Switch :

show version

show run | in crypto

show ip ssh

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

matty-boy · ‎09-07-2020

Thank you BB,

The switch is a C9407 running IOS XE 16.12.3s.

Switch#show run | inc crypto
crypto pki trustpoint SLA-TrustPoint
crypto pki trustpoint TP-self-signed-3661210606
crypto pki trustpoint DNAC-CA
crypto pki certificate chain SLA-TrustPoint
crypto pki certificate chain TP-self-signed-3661210606
crypto pki certificate chain DNAC-CA
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach

Switch#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-3661210606
ssh-rsa <key_omitted>

I'm attempting to SSH from this switch to the management interface of the Firepower FTD (Firepower 4115 chassis running FXOS 2.7 with FTD 6.5.0.3 running on top of that).

I can SSH from a Windows workstation and a Linux server no problem at all so the FTD, acting as the SSH server appears to be fine, other than the fact that it only supports ciphers that the switch, acting as the SSH client, does not support.

Thanks,

Matt.

matty-boy · ‎09-09-2020

Anybody have any idea how I can resolve this?

Thanks,

Matt.

Ruben Cocheno · ‎09-09-2020

@matty-boy

i don't believe that is supported, the only way is add other cyphers to the FTD if you want to managed that via the switch.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

matty-boy · ‎09-09-2020

Thank you Ruben,

I feared this might be the case. Very annoying if there is a problem with the FTD and you can't get onto it from usual management stations.

I have a TAC case open for this too so I'll report back here if there is a solution.

Ruben Cocheno · ‎09-11-2020

@matty-boy

i've seen simular issues, where a crypto zero and module 1024 doens't work either. TAC is the best way forward at this point.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

Georg Pauwen · ‎09-09-2020

Hello,

zeroize the RSA key and regenerate it with a lower (1024) modulus:

crypto key zeroize rsa
crypto key generate rsa modulus 1024

Or specify a key in the command line, e.g.:

ssh -l -c aes256-cbc admin@x.x.x.x

matty-boy · ‎09-10-2020

Hi Georg,

Thank you for your suggestions. I tried connecting with each option after the -c switch but these didn’t make any difference:

Switch#ssh -c ?

3des triple des

SSHv2 only cipher list:

aes128-cbc AES 128 bits

aes128-ctr AES-CTR 128 bits

aes192-cbc AES 192 bits

aes192-ctr AES-CTR 192 bits

aes256-cbc AES 256 bits

aes256-ctr AES-CTR 256 bits

I also tried using the -m option to change the HMAC algorithm but this didn’t help either ☹

Switch#ssh -m ?

SSHv2 Hmac list:

hmac-sha1-160 hmac-sha1 SHA1 based HMAC(160 bits)

hmac-sha1-96 SHA1 based HMAC(96 bits)

hmac-sha2-256 sha2 based HMAC(256 bits)

hmac-sha2-512 sha2 based HMAC(512 bits)

As I’m trying to connect to the mngt port of an FTD firewall, clearing the crypto key at the CLI of the FTD won’t make any difference as connecting to the mngt port connects you to a different control plane of the device and I can’t find a way to do similar on that.

I can SSH from this switch to other switches.

I can SSH from other devices (Windows or Linux) to the FTD.

Georg Pauwen · ‎09-10-2020

Hello,

did you also try a new RSA key with a 1024 modulus ?

knaik · ‎12-07-2020

Hi,

Its not possible to SSH from Cat9K to FTD as the cipher suites does not match.

Debug on FTD:

fatal: Unable to negotiate with 10.3.62.3 port 37893: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]

Debug on Switch:

No matching mac found: client hmac-sha1,hmac-sha1-96 server hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com

matty-boy · ‎12-07-2020

Hi @knaik,

Yep, TAC confirmed this to be the case too.

Thanks!