Showing results for 
Search instead for 
Did you mean: 

Announcement: ICX FastIron 08.0.30t is now available on Support

Esteemed Contributor II
     Our ICX FastIron developers and QAhave a new maintenance release with bug fixes.

This firmware runs on FCX, FSX, ICX – 6610, 6430/6450, 6650, 7250, 7450, 7750 models.


FastIron 08.0.30t Release Notes:


Ruckus ICX FastIron 08.0.30t Software Release (.zip):


MD5:  480cea85722d2c138c4df7cbb8d4b175


   Thanks and best regards,

We are an MSP and the end customer.

The issue is that my router is running a version of FreeBSD that dropped support for less secure SSH methods (Ruckus RIOT partner RG Nets rXg). When I try to SSH into my ICX6450-C12P, I get the following error: 

[admin@ ~]$ ssh admin@
Unable to negotiate with port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

I tried configuring the switch (via telnet) with the following:
telnet@sw3(config)#crypto key gen rsa modulus 2048

The command "ip ssh key-exchange-method" is not recognized, as I'm guessing this is not a "FCX device". 

Again, I'm running 80.0.30saT311 on this switch.

The other switches on this network are ICX 7250's running 08.0.80dT211. I am able to use SSH to communicate with them after running the "ip ssh key-exchange-method dh-group14-sha1" command.

This is a problem with my MacBook Pro connecting to  Cisco IOS 12.2 and below. I simply modified `/etc/ssh/ssh_config`. I assume it'll be just as easy for you to do that too.

New Contributor
Eric, as Jijo said it is highly unlikely to get the feature into 8030 patches unless there is a strong business case.

Contributor III

That said, you can use RSA 2048 bit for ssh authentication algorithm.

Separate topic.... you can and disable AES-CBC encryption, which meets the standard of the Joint Interoperability Test Command (JITC).  JITC is a United States military organization that tests technology pertaining to multiple branches of the armed services and the government.

ip ssh  encryption disable-aes-cbc

I am a bit surprised no option is available for a larger RSA modulus, either.  Many devices support 4096 bit RSA modulus.

Either way, RSA is slow to generate but faster than DSA to authenticate once configured.