We recently upgrade all of our Cisco routers to 12.4(20)T and are no longer able to connect via SSH2 from any of our network admin consoles. An 'ip ssh debug' results in 'Invalid modulus length'. Has anyone seen this issue before?
I am able to recreate the issue. It might be a bug and I would suggest opening a TAC case. Here's the debug info I got trying to establish a connection. BTW I rebuilt the entire config after the upgrade and got the same results.
*Mar 4 21:06:29.515: SSH0: starting SSH control process
*Mar 4 21:06:29.515: SSH0: sent protocol version id SSH-2.0-Cisco-1.25
*Mar 4 21:06:29.519: SSH0: protocol version id is - SSH-2.0-SecureCRT_5.1.3 (build 281) SecureCRT
*Mar 4 21:06:29.519: SSH2 0: send:packet of length 344 (length also includes padlen of 5)
*Mar 4 21:06:29.519: SSH2 0: SSH2_MSG_KEXINIT sent
*Mar 4 21:06:29.519: SSH2 0: ssh_receive: 464 bytes received
*Mar 4 21:06:29.519: SSH2 0: input: total packet length of 464 byte
The new Cisco IOS it seems, requires that the modulus size meet certain criteria that is not specified in the SSH draft.
The following has been known to resolve the issue for other customers encountering this issue:
1. In the 'SSH2' category of the Session Options dialog, select the 'diffie-hellman' key exchange method (without changing any of the checkboxes), and click the up arrow to move this method to the top of the list.
2. Click 'OK' to exit the Session Options dialog and attempt the connection again.
If your version of SecureCRT does not have this option then each of the session ini files will need to be modified. You must move 'diffie-hellman-group1-sha1' to the front of the list on line 'S:"Key Exchange Algorithms"'
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...