cancel
Showing results for 
Search instead for 
Did you mean: 

ICX w/FI 9.0.10e SSH KEX Not Matching with ICX w/FI 8.0.90k

KennethDelaney
New Contributor II

I am seeing issues with no matching SSH Key Exchange Algorithm (KEX) when attempting to SSH to/from an ICX with 9.0.10e and ICXs with 8.0.90k or 8.0.95g firmware.  I turned on debug for ssh on both ICXs and what I found is the following....

ICX 8.0.90k SSH to ICX 9.0.10e and I get no matching key exchange method found. Their offer diffie-hellman-group14-sha1, diffie-hellman-group1-sha1

ICX 9.0.10e SSH to ICX 8.0.90k and I get SSH: KEX Algorithm no match found

I thought that FI 9.0.10e supports diffie-hellman-group14-sha1 by default?

The end result is that any non-9.0.10e ICXs can ssh to each other, and 9.0.10e ICXs can ssh to each other, but you cannot ssh between the versions because SSH KEX issue.

 

Hitachi Vantara Federal
Network Engineer, RICX
10 REPLIES 10

BenBeck
Moderator
Moderator

Hey Kenneth, 

I believe this is expected due to upgraded SSH in 9010d and onward. I think you can enable EC (elliptical key pair) on both ends as a workaround. I am not in front of a CLI right this second, but it should be something like this:

conf t

crypto key gen ec (tab through this for syntax options)

 

Ben Beck, RCNA, RCNI, Principal Technical Support Engineer
support.ruckuswireless.com/contact-us

KennethDelaney
New Contributor II

I configured two ICXs with #crypto key generate ec label testkey (default size = 384).  I still cannot negotiate session between the two ICXs, one with 9.0.10f and one with 8.0.90k.  I have not done any debugging yet.

Can I have both an rsa and ec key pair at the same time?

Hitachi Vantara Federal
Network Engineer, RICX

You can. 'show ip ssh config' should confirm. Can you try removing the non-EC?

Ben Beck, RCNA, RCNI, Principal Technical Support Engineer
support.ruckuswireless.com/contact-us

KennethDelaney
New Contributor II

When I do "sh ip ssh config" I see two host keys (RSA 2048, ECDSA) with 9.0.10f but with 8.0.90k I see only one host key (RSA2048) even though I see "crypto key generate ec label testkey" in the running config. So, for 8.0.90k it looks like it can only have one host key.  I don't want to delete the rsa key at the moment since this is operational switch.  I may have to do further testing in a Lab unless you have other recommendations.

 

Hitachi Vantara Federal
Network Engineer, RICX