Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3430
Views
4
Helpful
3
Replies

C9800-40 Crypto Log

김성진
Level 1
Level 1

‎03-05-2023 05:07 PM

Hello,

The following log appears on the 9800 device. Is there a cause and solution?

%CRYPTO_ENGINE-4-CSDL_COMPLIANCE_RSA_WEAK_KEYS: RSA keypair CISCO_IDEVID_SUDI_LEGACY is in violation of Cisco security compliance guidelines and will be rejected by future releases.

Model : C9800-40 2EA HA

Version : 17.6.5

 

3 people had this problem
Labels:
0 Helpful
3 Replies 3

marce1000
VIP
VIP

‎03-06-2023 12:11 AM - edited ‎03-06-2023 05:44 AM

 

  -  Review the 9800   device configuration with the CLI command : show  tech   wireless , have the output analyzed by  https://cway.cisco.com/tools/WirelessAnalyzer/  , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer.               You may get more insights as to where this message  is applicable , or why it occurs , 
                                      Also post the output of :  show wireless mobility summary

M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎03-06-2023 12:32 AM

Looks to me like some SSH keys issue looking at the errors

can you post show IP ssh and show ssh  ( also trust point config smart license here)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Rich R
VIP
VIP

‎03-06-2023 07:04 AM - edited ‎03-06-2023 07:07 AM

So CSDL is the Cisco Secure Development Lifecycle.  I cannot find the IOS changes well documented anywhere (there is a more general CSDL blog) but at some point recently they introduced these changes to IOS-XE to try to remove all use of legacy hashes and ciphers and only allow the latest and strongest.  Suffice to say it was a disaster and prevented thousands of customers from upgrading IOS because it blocked all sorts of config which simply couldn't be updated overnight because of compatibility with other equipment and software which doesn't support the latest options.  As a result numerous different bugs have raised to address this and eventually in 17.6.4 they warned (and created exceptions) but did not block most legacy config.  Finally in 17.6.5 (also in 17.9.1) there is an undocumented (but still appears in numerous of Cisco's own config examples) line of config which completely disables CSDL (because it was still blocking a few odd things and they probably got tired of raising bugs to fix each one).  The change is implemented by https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvy60839 and the line of config (not even mentioned in the bug itself) is "crypto engine compliance shield disable"

So on the one hand you should be moving to avoid using legacy (insecure) options like MD5/DES/3DES/SHA1 etc but in the meantime if you don't want to see those warnings then use that command.  It usually requires a reload to take effect but if it's not causing you any problems you can configure it and wait till the next planned reload.

Note that the above is my opinions and what I've pieced together myself from various sources of info and observations and personal experience of half a router config disappearing when trying to upgrade before 17.6.4.  It seems the feature was not thought through very well before adding to IOS-XE and there have been multiple rounds of clean-up ever since.

Also take a look at https://bst.cisco.com/bugsearch/bug/CSCvd45116 and make sure you are using SSH key with strong modulus (at least 2048 - recommend 4096).

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card