This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ICX w/FI 9.0.10e SSH KEX Not Matching with ICX w/FI 8.0.90k

KennethDelaney
New Contributor II

‎07-19-2023 10:52 AM - edited ‎07-19-2023 10:59 AM

I am seeing issues with no matching SSH Key Exchange Algorithm (KEX) when attempting to SSH to/from an ICX with 9.0.10e and ICXs with 8.0.90k or 8.0.95g firmware.  I turned on debug for ssh on both ICXs and what I found is the following....

ICX 8.0.90k SSH to ICX 9.0.10e and I get no matching key exchange method found. Their offer diffie-hellman-group14-sha1, diffie-hellman-group1-sha1

ICX 9.0.10e SSH to ICX 8.0.90k and I get SSH: KEX Algorithm no match found

I thought that FI 9.0.10e supports diffie-hellman-group14-sha1 by default?

The end result is that any non-9.0.10e ICXs can ssh to each other, and 9.0.10e ICXs can ssh to each other, but you cannot ssh between the versions because SSH KEX issue.

 

Hitachi Vantara Federal
Network Engineer, RICX
0 Kudos
10 REPLIES 10

BenBeck
Moderator
Moderator

‎07-19-2023 11:50 AM

Hey Kenneth, 

I believe this is expected due to upgraded SSH in 9010d and onward. I think you can enable EC (elliptical key pair) on both ends as a workaround. I am not in front of a CLI right this second, but it should be something like this:

conf t

crypto key gen ec (tab through this for syntax options)

 

Ben Beck, RCNA, RCNI, Principal Technical Support Engineer
support.ruckuswireless.com/contact-us
0 Kudos

KennethDelaney
New Contributor II

‎07-19-2023 12:15 PM

I configured two ICXs with #crypto key generate ec label testkey (default size = 384).  I still cannot negotiate session between the two ICXs, one with 9.0.10f and one with 8.0.90k.  I have not done any debugging yet.

Can I have both an rsa and ec key pair at the same time?

Hitachi Vantara Federal
Network Engineer, RICX
0 Kudos

BenBeck
Moderator
Moderator
In response to KennethDelaney

‎07-19-2023 12:17 PM

You can. 'show ip ssh config' should confirm. Can you try removing the non-EC?

Ben Beck, RCNA, RCNI, Principal Technical Support Engineer
support.ruckuswireless.com/contact-us
0 Kudos

KennethDelaney
New Contributor II

‎07-19-2023 12:26 PM

When I do "sh ip ssh config" I see two host keys (RSA 2048, ECDSA) with 9.0.10f but with 8.0.90k I see only one host key (RSA2048) even though I see "crypto key generate ec label testkey" in the running config. So, for 8.0.90k it looks like it can only have one host key.  I don't want to delete the rsa key at the moment since this is operational switch.  I may have to do further testing in a Lab unless you have other recommendations.

 

Hitachi Vantara Federal
Network Engineer, RICX
0 Kudos
Copyright © 2024 Khoros, LLC