08-11-2009 07:15 PM - edited 03-06-2019 07:12 AM
I have a situation where a client has a mixed vendor network. The client needs to be able to open SSH v2 sessions from one device to another in a "hop-to-hop" situation in case of faults.
The issue arises when trying to SSH from a cat6500 to a Nortel 8600 where basically the SSH connection fails. If using SSH v1, the connection works, if using another SSH client to connect SSH v2 to the Nortel the connection succeeds. However, using the inbuilt SSH client on the cat 6500 fails with a "SSH CLIENTTO: key exchenge failure (code = 0)" in the Cisco debug and a "SSH ERROR no hostkey alg" in the Nortel Log.
Attached is a text file showing some of the debug output and log output from both devices.
The 6500 is running s222-ipservicesk9_wan-mz.122-18.SXF8.bin.
Any help would be appreciated. Including the fact I may have missed something obvious.
Note: I have a Nortel colleague also looking into this.
Cheers
Rob
Solved! Go to Solution.
08-12-2009 04:41 PM
Ok I looked this further.
The reason is that DSA based keys are not supported by IOS SSH. Nortel does not support RSA based keys for SSH, and hence the SSH from Cisco devices do not work.
There is an enhancement request for DSA support on cisco devices:
CSCej86682 Crypto: DSA is not supported in IOS
There is no ETA as far as when this will be fixed. But it will.
Let me know if you have other questions in order to resolve this post.
08-11-2009 09:17 PM
There is a bug for this:
CSCsm76370 Unable to SSHv2 to Nortel switch (from cisco device)
the Cisco device is sending the correct version id for both v1 and v2, hence the problem is not with Cisco.
Cisco ssh is working fine with all the other clients like putty,open ssh and others.
Hence,the problem is with the Nortel Switch, this is why this defect is in a closed state.
Nortel have been notified in the past, you can work on this with them, if you need to pursue this further.
08-12-2009 02:38 PM
Thanks for the info and bug ID.
Unfortunately, the Nortel switch also works fine with all of the other clients such as putty, open ssh and various other "unix" based clients, so from that perspective, the Nortel is also working.
So it would appear there is an incompatibility between the two vendor implementations.
Oh well, it may be a case of this is just not going to work.
08-12-2009 04:41 PM
Ok I looked this further.
The reason is that DSA based keys are not supported by IOS SSH. Nortel does not support RSA based keys for SSH, and hence the SSH from Cisco devices do not work.
There is an enhancement request for DSA support on cisco devices:
CSCej86682 Crypto: DSA is not supported in IOS
There is no ETA as far as when this will be fixed. But it will.
Let me know if you have other questions in order to resolve this post.
08-12-2009 08:03 PM
Thanks for the additional information. Very helpful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide