03-05-2023 05:07 PM
Hello,
The following log appears on the 9800 device. Is there a cause and solution?
%CRYPTO_ENGINE-4-CSDL_
Model : C9800-40 2EA HA
Version : 17.6.5
03-06-2023 12:11 AM - edited 03-06-2023 05:44 AM
- Review the 9800 device configuration with the CLI command : show tech wireless , have the output analyzed by https://cway.cisco.com/
Also post the output of : show wireless mobility summary
M.
03-06-2023 12:32 AM
Looks to me like some SSH keys issue looking at the errors
can you post show IP ssh and show ssh ( also trust point config smart license here)
03-06-2023 07:04 AM - edited 03-06-2023 07:07 AM
So CSDL is the Cisco Secure Development Lifecycle. I cannot find the IOS changes well documented anywhere (there is a more general CSDL blog) but at some point recently they introduced these changes to IOS-XE to try to remove all use of legacy hashes and ciphers and only allow the latest and strongest. Suffice to say it was a disaster and prevented thousands of customers from upgrading IOS because it blocked all sorts of config which simply couldn't be updated overnight because of compatibility with other equipment and software which doesn't support the latest options. As a result numerous different bugs have raised to address this and eventually in 17.6.4 they warned (and created exceptions) but did not block most legacy config. Finally in 17.6.5 (also in 17.9.1) there is an undocumented (but still appears in numerous of Cisco's own config examples) line of config which completely disables CSDL (because it was still blocking a few odd things and they probably got tired of raising bugs to fix each one). The change is implemented by https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvy60839 and the line of config (not even mentioned in the bug itself) is "crypto engine compliance shield disable"
So on the one hand you should be moving to avoid using legacy (insecure) options like MD5/DES/3DES/SHA1 etc but in the meantime if you don't want to see those warnings then use that command. It usually requires a reload to take effect but if it's not causing you any problems you can configure it and wait till the next planned reload.
Note that the above is my opinions and what I've pieced together myself from various sources of info and observations and personal experience of half a router config disappearing when trying to upgrade before 17.6.4. It seems the feature was not thought through very well before adding to IOS-XE and there have been multiple rounds of clean-up ever since.
Also take a look at https://bst.cisco.com/bugsearch/bug/CSCvd45116 and make sure you are using SSH key with strong modulus (at least 2048 - recommend 4096).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide