This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ICX w/FI 9.0.10e SSH KEX Not Matching with ICX w/FI 8.0.90k

KennethDelaney
New Contributor II

‎07-19-2023 10:52 AM - edited ‎07-19-2023 10:59 AM

I am seeing issues with no matching SSH Key Exchange Algorithm (KEX) when attempting to SSH to/from an ICX with 9.0.10e and ICXs with 8.0.90k or 8.0.95g firmware.  I turned on debug for ssh on both ICXs and what I found is the following....

ICX 8.0.90k SSH to ICX 9.0.10e and I get no matching key exchange method found. Their offer diffie-hellman-group14-sha1, diffie-hellman-group1-sha1

ICX 9.0.10e SSH to ICX 8.0.90k and I get SSH: KEX Algorithm no match found

I thought that FI 9.0.10e supports diffie-hellman-group14-sha1 by default?

The end result is that any non-9.0.10e ICXs can ssh to each other, and 9.0.10e ICXs can ssh to each other, but you cannot ssh between the versions because SSH KEX issue.

 

Hitachi Vantara Federal
Network Engineer, RICX
0 Kudos
10 REPLIES 10

BenBeck
Moderator
Moderator
In response to KennethDelaney

‎07-24-2023 07:23 AM

Hey Kenneth, 

I checked on this. It is a known limitation. We upgraded to openssh in 9+ (different SSH prior to this). This actually breaks switch-to-switch SSH capability if going between 8.x and 9+. In order to do switch-to-switch, you will need to be on all 8.x or all 9+. With that said, you should have no problem using a regular SSH client (putty, teraterm, etc.) to manage your switches. 

 

 

Ben Beck, RCNA, RCNI, Principal Technical Support Engineer
support.ruckuswireless.com/contact-us
0 Kudos

KennethDelaney
New Contributor II

‎07-24-2023 06:40 AM

With 8.0.9x firmware I zeroized the RSA key so there should only now be the EC key, even though it doesn't display under #sh ip ssh config, and whenever I try to ssh between 8.0.9x and 9.0.10e/f it never connects because the 8.0.9x ssh negotiation is looking for RSA, not EC.

Hitachi Vantara Federal
Network Engineer, RICX
0 Kudos

Chandini
RUCKUS Team Member

‎12-08-2023 02:26 AM

Hi KennethDelaney

Adding to the post. The outbound SSH connection problem between 8095 and 9010 and above version is fixed in version 9010j and 10.0.10c

Please note there is no need for you to upgrade any devices which are running 8095 version but you might have to wait to upgrade the 8200 switches to 10.0.10c version or if you have devices running on 9010 versions they would be fixed in 9010j version

You might have to wait for release of 10.0.10c and 9010j version. 

Thanks 

0 Kudos

belsbree
New Contributor
In response to Chandini

‎07-15-2024 11:42 AM

Hi Chandini,

Just ran into this issue and found this thread. I upgraded a switch to 10.0.10c and still can't SSH between 10.0.10c and 8.0.95h. Strangely, the "debug ip ssh" command isn't even a usable command on the switch running 10.0.10c, and the "show who" command doesn't even show my ssh connection. Any ideas? 

0 Kudos

BenBeck
Moderator
Moderator
In response to belsbree

‎07-15-2024 12:03 PM - edited ‎07-15-2024 12:03 PM

Hey there, 

On the 10.x switch, you will need to allow the connection and add these commands:

ICX(config)#ip ssh host-key-method ssh-rsa

 

Ben Beck, RCNA, RCNI, Principal Technical Support Engineer
support.ruckuswireless.com/contact-us
0 Kudos
Copyright © 2024 Khoros, LLC