Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6463
Views
1
Helpful
15
Replies

Removing SSH Weak Ciphers SDWAN Router Controller Mode

billburns
Level 1
Level 1

‎01-04-2024 09:30 AM

On the SDWAN routers that are in controller mode, I need to remove HMAC-SHA1 from the list of options for SSH to connect. Is there a template that would be used to modify SSH, like a CLI template. I am looking to push the equivalent commands down to the routers.

ip ssh server algorithm mac hmac-sha2-256
ip ssh server algorithm encryption aes256-ctr
ip ssh server algorithm kex ecdh-sha2-nistp384

 

 

0 Helpful
15 Replies 15

Ruben Cocheno
Spotlight
Spotlight

‎01-04-2024 11:31 AM

@billburns 

Disable Weak SSH Encryption Algorithms on Cisco SD-WAN Manager Using CLI

  1. From the Cisco SD-WAN Manager menu, choose Tools > SSH Terminal.

  2. Choose the Cisco SD-WAN Manager device on which you wish to disable weaker SSH algorithms.

  3. Enter the username and password to log in to the device.

  4. Enter SSH server mode.

    vmanage# config terminal
    vmanage(config)# system
    vmanage(config-system)# ssh-server

  5. Do one of the following to disable an SSH encryption algorithm:

    • Disable SHA-1:

      1. vmanage(config-ssh-server)# no kex-algo sha1
      2. vmanage(config-ssh-server)# commit

        The following warning message is displayed:

        The following warnings were generated:
'system ssh-server kex-algo sha1': WARNING: Please ensure all your edges run code version > 18.4.6 which negotiates better than SHA1 with vManage. Otherwise those edges may become offline.
Proceed? [yes,no] yes

      3. Ensure that any Cisco vEdge devices in the network are running Cisco SD-WAN Release 18.4.6 or later and enter yes.

    • Disable AES-128 and AES-192:

      1. vmanage(config-ssh-server)# no cipher aes-128-192
      2. vmanage(config-ssh-server)# commit

        The following warning message is displayed:

        The following warnings were generated:
'system ssh-server cipher aes-128-192': WARNING: Please ensure all your edges run code version > 18.4.6 which negotiates better than AES-128-192 with vManage. Otherwise those edges may become offline.
Proceed? [yes,no] yes

      3. Ensure that any Cisco vEdge devices in the network are running Cisco SD-WAN Release 18.4.6 or later and enter yes.

Verify that Weak SSH Encryption Algorithms Are Disabled on Cisco SD-WAN Manager Using the CLI

  1. From the Cisco SD-WAN Manager menu, choose Tools > SSH Terminal.

  2. Select the Cisco SD-WAN Manager device you wish to verify.

  3. Enter the username and password to log in to the device.

  4. Run the following command:

    show running-config system ssh-server

  5. Confirm that the output shows one or more of the commands that disable weaker encryption algorithms:

    • no cipher aes-128-192

    • no kex-algo sha1

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/
0 Helpful

billburns
Level 1
Level 1

‎01-04-2024 12:20 PM

Thank you for the link.  Does it matter that these devices are cEdge and not vEdge like the document references? I log into vManage SSH Terminal with a local account but still can not issue "config t" because the router is in Controller Mode. My vManage is 20.10.1 and my cEdges are 17.9.3a. 

0 Helpful

Kanan Huseynli
VIP
VIP

‎01-05-2024 02:34 PM - edited ‎01-05-2024 02:43 PM

Hi,

use CLI-add on template, copy paste regular CLI commands and add this CLI-add on template to device template.

Push new config and re-check. Below are commands that you mentioned:

ip ssh server algorithm mac hmac-sha2-256
ip ssh server algorithm encryption aes256-ctr
ip ssh server algorithm kex ecdh-sha2-nistp384

This is the method to push supported commands to devices which are not directly supported by feature templates. But I didn't find them in qualified command list. You may try, just be careful if it is production environment.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful

billburns
Level 1
Level 1
In response to Kanan Huseynli

‎01-09-2024 07:26 AM

Thanks Kanan.  This was my original thought but I didnt find the commands in the qualified command list.   I figured I ask here first because my deployment doesnt have a test site to test features like this.

0 Helpful

Kanan Huseynli
VIP
VIP
In response to billburns

‎01-09-2024 12:54 PM

I checked on 20.13 controller with 17.11 CSR8000v:

KananHuseynli_0-1704833171551.png

KananHuseynli_2-1704833207923.png

Even though in show run all I see lots of related default commands, there is no way to modify this list right now.

Because these commands are pure autonomous mode commands:

KananHuseynli_3-1704833623633.png

 

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful

billburns
Level 1
Level 1
In response to Kanan Huseynli

‎01-12-2024 03:02 PM

Thanks for going the extra mile and loading up 20.13 and 17.11. This is what I love about this community. 

I opened up a TAC case just to hear it from Cisco and now I have documentation. There is a bug with SDWAN and not being about to change SSH settings. 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh76478

 

Kanan Huseynli
VIP
VIP
In response to billburns

‎01-12-2024 10:15 PM

Yes, exactly. Either non-supported feature in controller mode (basically, coded like that) or as you mentioned it is bug that it is not supported. And now based on link we understand that lack of feature is in reality related to bug.

Thanks for sharing answer from TAC.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful

BrianRoberson
Level 1
Level 1
In response to Kanan Huseynli

‎04-03-2025 07:24 AM - edited ‎04-03-2025 09:59 AM

Could you point me to the link for the qualified command list for CLI-Add on templates?  --nm found it.

the ip ssh server algorithm as noted isn't supported in CLI mode yet.. Guessing the enhacement request will need to be approved and implemented.

0 Helpful

mikehaynes5@gmail.com
Level 1
Level 1

‎02-16-2024 05:10 AM

Hey guys, i opened a TAC as well. They have placed an enhancement order. Hopefully we'll here something soon.  

0 Helpful

mikehaynes5@gmail.com
Level 1
Level 1

‎04-28-2025 12:45 PM

How has there not been an update on this enhancement Cisco? This has occurred since beginning of 2024. Do we have a projection on which version this will be resolved at least? 

0 Helpful

aarato
Level 1
Level 1

‎06-12-2025 01:24 PM

+1 for getting this fixed. The routers are failing the audit because they come with deprecated algos and key exchanges.

0 Helpful

mikehaynes5@gmail.com
Level 1
Level 1

‎08-21-2025 02:00 PM

Well my friends. Its available now but is an ES version. 17.16.1a presents the needed commands to modify the cipher suite. So far i've only seen it on 8K series routers and its pretty buggy so do not deploy it in production. 

0 Helpful

aarato
Level 1
Level 1

‎08-21-2025 04:22 PM

Yes, I can confirm that it's available starting with 17.16.1a and the next gold release is said to be 17.18.X with that feature set. Sadly it's not going to be a quick fix. We asked for an engineering release. They should really put this in 17.15 gold release.

0 Helpful
Customers Also Viewed These Support Documents