topic Re: ICX w/FI 9.0.10e SSH KEX Not Matching with ICX w/FI 8.0.90k in ICX Switches

ICX w/FI 9.0.10e SSH KEX Not Matching with ICX w/FI 8.0.90k

KennethDelaney — Wed, 19 Jul 2023 17:59:02 GMT

I am seeing issues with no matching SSH Key Exchange Algorithm (KEX) when attempting to SSH to/from an ICX with 9.0.10e and ICXs with 8.0.90k or 8.0.95g firmware. I turned on debug for ssh on both ICXs and what I found is the following....

ICX 8.0.90k SSH to ICX 9.0.10e and I get no matching key exchange method found. Their offer diffie-hellman-group14-sha1, diffie-hellman-group1-sha1

ICX 9.0.10e SSH to ICX 8.0.90k and I get SSH: KEX Algorithm no match found

I thought that FI 9.0.10e supports diffie-hellman-group14-sha1 by default?

The end result is that any non-9.0.10e ICXs can ssh to each other, and 9.0.10e ICXs can ssh to each other, but you cannot ssh between the versions because SSH KEX issue.

Re: ICX w/FI 9.0.10e SSH KEX Not Matching with ICX w/FI 8.0.90k

BenBeck — Wed, 19 Jul 2023 18:50:21 GMT

Hey Kenneth,

I believe this is expected due to upgraded SSH in 9010d and onward. I think you can enable EC (elliptical key pair) on both ends as a workaround. I am not in front of a CLI right this second, but it should be something like this:

conf t

crypto key gen ec (tab through this for syntax options)

Re: ICX w/FI 9.0.10e SSH KEX Not Matching with ICX w/FI 8.0.90k

KennethDelaney — Wed, 19 Jul 2023 19:15:01 GMT

I configured two ICXs with #crypto key generate ec label testkey (default size = 384). I still cannot negotiate session between the two ICXs, one with 9.0.10f and one with 8.0.90k. I have not done any debugging yet.

Can I have both an rsa and ec key pair at the same time?

Re: ICX w/FI 9.0.10e SSH KEX Not Matching with ICX w/FI 8.0.90k

BenBeck — Wed, 19 Jul 2023 19:17:00 GMT

You can. 'show ip ssh config' should confirm. Can you try removing the non-EC?

Re: ICX w/FI 9.0.10e SSH KEX Not Matching with ICX w/FI 8.0.90k

KennethDelaney — Wed, 19 Jul 2023 19:26:53 GMT

When I do "sh ip ssh config" I see two host keys (RSA 2048, ECDSA) with 9.0.10f but with 8.0.90k I see only one host key (RSA2048) even though I see "crypto key generate ec label testkey" in the running config. So, for 8.0.90k it looks like it can only have one host key. I don't want to delete the rsa key at the moment since this is operational switch. I may have to do further testing in a Lab unless you have other recommendations.

Re: ICX w/FI 9.0.10e SSH KEX Not Matching with ICX w/FI 8.0.90k

KennethDelaney — Mon, 24 Jul 2023 13:40:09 GMT

With 8.0.9x firmware I zeroized the RSA key so there should only now be the EC key, even though it doesn't display under #sh ip ssh config, and whenever I try to ssh between 8.0.9x and 9.0.10e/f it never connects because the 8.0.9x ssh negotiation is looking for RSA, not EC.

Re: ICX w/FI 9.0.10e SSH KEX Not Matching with ICX w/FI 8.0.90k

BenBeck — Mon, 24 Jul 2023 14:23:08 GMT

Hey Kenneth,

I checked on this. It is a known limitation. We upgraded to openssh in 9+ (different SSH prior to this). This actually breaks switch-to-switch SSH capability if going between 8.x and 9+. In order to do switch-to-switch, you will need to be on all 8.x or all 9+. With that said, you should have no problem using a regular SSH client (putty, teraterm, etc.) to manage your switches.

Re: ICX w/FI 9.0.10e SSH KEX Not Matching with ICX w/FI 8.0.90k

Chandini — Fri, 08 Dec 2023 10:26:34 GMT

Hi KennethDelaney

Adding to the post. The outbound SSH connection problem between 8095 and 9010 and above version is fixed in version 9010j and 10.0.10c

Please note there is no need for you to upgrade any devices which are running 8095 version but you might have to wait to upgrade the 8200 switches to 10.0.10c version or if you have devices running on 9010 versions they would be fixed in 9010j version

You might have to wait for release of 10.0.10c and 9010j version.

Thanks

Re: ICX w/FI 9.0.10e SSH KEX Not Matching with ICX w/FI 8.0.90k

belsbree — Mon, 15 Jul 2024 18:42:58 GMT

Hi Chandini,

Just ran into this issue and found this thread. I upgraded a switch to 10.0.10c and still can't SSH between 10.0.10c and 8.0.95h. Strangely, the "debug ip ssh" command isn't even a usable command on the switch running 10.0.10c, and the "show who" command doesn't even show my ssh connection. Any ideas?

Re: ICX w/FI 9.0.10e SSH KEX Not Matching with ICX w/FI 8.0.90k

BenBeck — Mon, 15 Jul 2024 19:03:24 GMT

Hey there,

On the 10.x switch, you will need to allow the connection and add these commands:

ICX(config)#ip ssh host-key-method ssh-rsa

Re: ICX w/FI 9.0.10e SSH KEX Not Matching with ICX w/FI 8.0.90k

belsbree — Tue, 16 Jul 2024 14:35:24 GMT

Hey Ben,

Thanks for the reply! I put this into the 10.x switch and still getting outbound connection failed. If you'd like, I can show debug results / any other command results that may help.