Saturday, April 6, 2024

Cisco ASA Firewall SSH Key Exchange

I had an issue wherein I couldn't SSH to a Cisco ASA firewall and received a key exchange error. I've checked the configured SSH key exchange group and it was configured to use a higher DH group which is the default in newer Cisco ASA version.

 

[john@server01 ~]$ ssh admin@192.168.202.4

Unable to negotiate with 192.168.202.4 port 22: no matching key exchange method found. Their offer: diffie-hellman-group14-sha256

 

 

ciscoasa# show run ssh

ssh stricthostkeycheck

ssh timeout 30

ssh version 2

ssh key-exchange group dh-group14-sha256

ssh 10.10.0.0 255.255.0.0 management

 

 

I configured a lower DH group as an interim solution. The management server needs to be upgraded in order to support newer SSH key exchange protocols as a permanent fix.

 

ciscoasa# configure terminal

ciscoasa(config)# ssh key-exchange group ?

 

configure mode commands/options:

  curve25519-sha256   Diffie-Hellman group-31-sha256

  dh-group1-sha1      Diffie-Hellman group 2 (DEPRECATED)

  dh-group14-sha1     Diffie-Hellman group-14-sha1

  dh-group14-sha256   Diffie-Hellman group-14-sha256

  ecdh-sha2-nistp256  Diffie-Hellman group-19-sha256

ciscoasa(config)# ssh key-exchange group dh-group1-sha1

WARNING: DH group 2 is considered insecure. This option is deprecated and will be removed in a later version.

 

 

I was able to SSH and save the RSA key afterwards.

[john@server01 ~]$ ssh admin@192.168.202.4
The authenticity of host '172.16.22.4 (172.16.22.4)' can't be established.
RSA key fingerprint is 98:c0:6b:42:88:7f:48:68:ae:a1:b4:04:03:12:34:56.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.202.4' (RSA) to the list of known hosts.admin@192.168.202.4's password:<SSH PASSWORD>

ciscoasa# show version

 

Cisco Adaptive Security Appliance Software Version 9.16.x

SSP Operating System Version 2.10.x

Device Manager Version 7.18.x

 

Compiled on Wed 03-Aug-22 05:26 GMT by builders

 

ciscoasa up 23 hours 51 mins

failover cluster up 23 hours 51 mins

 

No comments:

Post a Comment