ā09-07-2020 10:09 AM
Hi,
I'm trying to SSH from a Cat9K switch to an firepower FTD.
From the client I get this output:
Switch#ssh -l admin X.X.X.X
[Connection to X.X.X.X aborted: error status 0]
I can ping it and I can telnet to port 22.
Debugging on the client switch shows this:
076735: Sep 7 2020 16:59:32.047 UTC: %SSH-3-NO_MATCH: No matching kex algorithm found: client diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 server curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
Or to format it a little nicer:
-------------------------------
076735: Sep 7 2020 16:59:32.047 UTC: %SSH-3-NO_MATCH: No matching kex algorithm found:
client
diffie-hellman-group-exchange-sha1
diffie-hellman-group14-sha1
server
curve25519-sha256@libssh.org
ecdh-sha2-nistp521
ecdh-sha2-nistp384
ecdh-sha2-nistp256
-------------------------------
I don't have control of the FTD to make changes.
And I don't appear to be able to add any other algorithms to the client:
Switch(config)#ip ssh client algorithm kex ?
diffie-hellman-group-exchange-sha1 DH_GRPX_SHA1 diffie-hellman key exchange algorithm
diffie-hellman-group14-sha1 DH_GRP14_SHA1 diffie-hellman key exchange algorithm
Switch(config)#
Any ideas?
Thanks in advance,
Matt.
Solved! Go to Solution.
ā12-07-2020 05:55 AM - edited ā12-07-2020 06:00 AM
Hi,
Its not possible to SSH from Cat9K to FTD as the cipher suites does not match.
Debug on FTD:
fatal: Unable to negotiate with 10.3.62.3 port 37893: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
Debug on Switch:
No matching mac found: client hmac-sha1,hmac-sha1-96 server hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
ā09-07-2020 10:32 AM
Can you post below output from Switch :
show version
show run | in crypto
show ip ssh
ā09-07-2020 11:19 AM
Thank you BB,
The switch is a C9407 running IOS XE 16.12.3s.
Switch#show run | inc crypto
crypto pki trustpoint SLA-TrustPoint
crypto pki trustpoint TP-self-signed-3661210606
crypto pki trustpoint DNAC-CA
crypto pki certificate chain SLA-TrustPoint
crypto pki certificate chain TP-self-signed-3661210606
crypto pki certificate chain DNAC-CA
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
Switch#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-3661210606
ssh-rsa <key_omitted>
I'm attempting to SSH from this switch to the management interface of the Firepower FTD (Firepower 4115 chassis running FXOS 2.7 with FTD 6.5.0.3 running on top of that).
I can SSH from a Windows workstation and a Linux server no problem at all so the FTD, acting as the SSH server appears to be fine, other than the fact that it only supports ciphers that the switch, acting as the SSH client, does not support.
Thanks,
Matt.
ā09-09-2020 02:05 AM
Anybody have any idea how I can resolve this?
Thanks,
Matt.
ā09-09-2020 05:11 PM
i don't believe that is supported, the only way is add other cyphers to the FTD if you want to managed that via the switch.
ā09-09-2020 11:23 PM
Thank you Ruben,
I feared this might be the case. Very annoying if there is a problem with the FTD and you can't get onto it from usual management stations.
I have a TAC case open for this too so I'll report back here if there is a solution.
ā09-11-2020 06:37 AM
i've seen simular issues, where a crypto zero and module 1024 doens't work either. TAC is the best way forward at this point.
ā09-09-2020 11:51 PM
Hello,
zeroize the RSA key and regenerate it with a lower (1024) modulus:
crypto key zeroize rsa
crypto key generate rsa modulus 1024
Or specify a key in the command line, e.g.:
ssh -l -c aes256-cbc admin@x.x.x.x
ā09-10-2020 05:45 AM
ā09-10-2020 02:29 PM
Hello,
did you also try a new RSA key with a 1024 modulus ?
ā12-07-2020 05:55 AM - edited ā12-07-2020 06:00 AM
Hi,
Its not possible to SSH from Cat9K to FTD as the cipher suites does not match.
Debug on FTD:
fatal: Unable to negotiate with 10.3.62.3 port 37893: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
Debug on Switch:
No matching mac found: client hmac-sha1,hmac-sha1-96 server hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
ā12-07-2020 07:51 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide