cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1840
Views
0
Helpful
0
Comments
Christian Jouas
Level 1
Level 1

Question

We run asr9001 with XR 6.1.3, and we have a very long delay to login w/ SSH 1 or 2 to the device compare to IOS device.

After investigation, the there is 1s delay between the client KEXDH_INIT and the server (XR) KEXDH_REPLY.

 

After debug ssh server on the XR device, we see the following:

 

RP/0/RSP0/CPU0:Nov 17 08:05:13.661 : SSHD_[65874]: Received KEXDH_INIT
RP/0/RSP0/CPU0:Nov 17 08:05:13.661 : SSHD_[65874]: Calling DH algorithm setting with group14
RP/0/RSP0/CPU0:Nov 17 08:05:13.661 : SSHD_[65874]:  Getting the parameter inside (Func: set_dh_param_groups)
RP/0/RSP0/CPU0:Nov 17 08:05:13.661 : SSHD_[65874]: After geting the parameter we are calling the first phase of DH
RP/0/RSP0/CPU0:Nov 17 08:05:14.539 : SSHD_[65874]: sshd_key_exchange: Selected key_type is RSA
RP/0/RSP0/CPU0:Nov 17 08:05:14.539 : SSHD_[65874]: Extracting RSA pubkey from crypto engine
RP/0/RSP0/CPU0:Nov 17 08:05:14.539 : SSHD_[65874]: Retreiving 512 bit RSA host key-pair
RP/0/RSP0/CPU0:Nov 17 08:05:14.539 : SSHD_[65874]: bloblen = 87
RP/0/RSP0/CPU0:Nov 17 08:05:14.539 : SSHD_[65874]: exponent = 3, modulus = 65
RP/0/RSP0/CPU0:Nov 17 08:05:14.539 : SSHD_[65874]: Calculating kex hash with client_str = SSH-2.0-SecureCRT_7.3.7 (x64 build 1034)  (len = 40)
RP/0/RSP0/CPU0:Nov 17 08:05:14.539 : SSHD_[65874]: server_str = SSH-1.99-Cisco-2.0  (len = 18)
RP/0/RSP0/CPU0:Nov 17 08:05:14.542 : SSHD_[65874]: Sending KEXDH_REPLY

 

You clearly see that XR start with "After geting the parameter we are calling the first phase of DH", and then 1s later send the key_echange "sshd_key_exchange: Selected key_type is RSA".

 

We have disable vrf, disable domain-lookup, all ACL.

The config is like this:

"

domain lookup disable
interface MgmtEth0/RSP0/CPU0/0
 description MGMT
 ipv4 address 192.18.12.246 255.255.255.192

router static
 address-family ipv4 unicast
  x.x.x.x/24 MgmtEth0/RSP0/CPU0/0 192.18.12.x description NOC
 
 !
!
ssh server vrf default

RP/0/RSP0/CPU0:xxx2#show cry ke my r
Fri Nov 17 09:30:04.735 UTC
Key label: the_default
Type     : RSA General purpose
Size     : 1024
Created  : 08:29:19 UTC Fri Nov 17 2017
Data     :
 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C55F0F
 CAD79136 49BA3746 B3949856 565CCE76 62F39A92 3BBB7171 34A02876 D9171300
 7EF62020 4C85511E 802181C3 122E1553 91A92B65 6CF6EBD6 6DA9B3F5 42E20F44
 7B4931F4 9B52F876 66943384 02C47472 802DB637 DA554A22 604E8BD1 56C0480A
 9DBD077E D3401883 C173CA91 880CE273 6DB4D939 87779DDE FC3476A1 25020301
 0001

 

"

 

With automatic login, we have 100ms to login to any IOS box, but around 1.5s to all XR boxes. Any idea why the first phase of DH take so long ?

 

Thank

F&C

Answer

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: