Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
diffie-hellman warning threshold
#1
Hello,
I am not sure if this is from upgrading to ASG RD 2017, or what... but for some reason I now get this error when connecting to many cisco devices:

The first key-exchange algorithm supported by the server is diffie-hellman-group1-sha1, which is below the configured warning threshold. Do you want to continue with this connection?

Is there some place to globally change this? Or to adjust the warning threshold?

Thank you
Reply
#2
Which protocol you are using when getting this warning?
Regards/Gruss
Oliver
Reply
#3
(04-04-2017, 06:52 AM)DevOma Wrote: Which protocol you are using when getting this warning?

These are ssh connections in asg.
Reply
#4
Via Putty? We have implemented the latest version of Putty with ASG-RD 2017...
Regards/Gruss
Oliver
Reply
#5
Hi...this is a setting in putty you can adjust in the ssh-settings of the connection. IN putty look in the ssh-kex settings:

[Image: attachment.php?aid=3321]

best regards,
Michael


Attached Files
.jpg   170404_13_46_06-diffie-hellman warning threshold.jpg (Size: 52.41 KB / Downloads: 80)
-- michael.scholz@asg.com --
Reply
#6
(04-04-2017, 12:41 PM)Michael Scholz Wrote: Hi...this is a setting in putty you can adjust in the ssh-settings of the connection.  IN putty look in the ssh-kex settings:

[Image: attachment.php?aid=3321]

best regards,
Michael



So if I setup 1000 SSH switch connections in ASG, that means I have to create 1000 duplicate SSH switch connections in putty, set that algorithm parameter, then in ASG link each switch connection to it's putty equivalent??

[Image: attachment.php?aid=3322]


Attached Files
.jpg   Untitled.jpg (Size: 43.47 KB / Downloads: 66)
Reply
#7
Not necessarily ;-)

If you just want a ssh connection with no special features enabled you dont have to use putty at all. So you just define the connection in ASG-RD set protocol and port and assign credentials or not.

But if you need to make use of extended features we provide putty or poderosa to extend your ssh needs. So if you want to use putty you have to define the putty settings the way putty allows to. Since putty saves it's connection in the registry maybe there is way to replicate these settings somehow.

But what also should work: just define ONE putty setting as you like it. If you copy that connection the putty setting is copied too !
Now if you just change the IP in the ASGRD connection that will override the putty connections-Ip ! So that way you could use ONE putty setting for 1000 ASG-RD connections. Thats the way it should work if I remember correctly;-)

Hope that helps ...

best regards,
Michael




So if I setup 1000 SSH switch connections in ASG, that means I have to create 1000 duplicate SSH switch connections in putty, set that algorithm parameter, then in ASG link each switch connection to it's putty equivalent??
-- michael.scholz@asg.com --
Reply
#8
(04-04-2017, 03:37 PM)Michael Scholz Wrote: Not necessarily ;-)

If you just want a ssh connection with no special features enabled you dont have to use putty at all. So you just define the connection in ASG-RD set protocol and port and assign credentials or not.

But if you need to make use of extended features we provide putty or poderosa to extend your ssh needs. So if you want to use putty you have to define the putty settings the way putty allows to. Since putty saves it's connection in the registry maybe there is way to replicate these settings somehow.

But what also should work:  just define ONE putty setting as you like it. If you copy that connection the putty setting is copied too !
Now if you just change the IP in the ASGRD connection that will override the putty connections-Ip !  So that way you could use ONE putty setting for 1000 ASG-RD connections.  Thats the way it should work if I remember correctly;-)  

Hope that helps ...

best regards,
Michael




So if I setup 1000 SSH switch connections in ASG, that means I have to create 1000 duplicate SSH switch connections in putty, set that algorithm parameter, then in ASG link each switch connection to it's putty equivalent??

Hmm so after some testing, things are working with a fairly simple solution... however I am not sure why it works...

I created the one custom putty session for my first ASG switch connection, linked it, and the asg connection works fine as expected. 
However I then assigned that same putty session to multiple other ASG switch connections, and when connecting to them it works as well. I would expect not to get the algorithm error, but I would expect asg to connect to that same original switch, since that one putty session references a specific single switch ip. However all the asg connections connect to the correct switches still.

So apparently from what I see ASG uses the extra settings from the putty connection, but it doesnt use the IP set for the putty target.
Reply
#9
correctly ;-) thats what I wrote. We use the ip-setting from ASG-RD and forward it to putty. That way you can use putty as a kind of "template". I'm happy that it works now - thanks for your feedback ! :-)
-- michael.scholz@asg.com --
Reply
#10
(04-04-2017, 09:52 AM)DevOma Wrote: Via Putty? We have implemented the latest version of Putty with ASG-RD 2017...

We have modified putty SSH key connections that set this warning, and move the diffie-hellman up to eliminate it from the warning, apply it but still getting the warning on cisco type devices, but we shouldn't ben getting it once the putty SSH key warning is changed. I have putty on my own device, would like to get rid of the warning but it makes the tabbed connection look sloppy and confusing. This changed from ASG 2016, where we never got this warning message. Using ASG SSH connection setting, but can only modify putty locally on PC. Any advice here please ?
All of our SSH connections are using ASG internally SSH settings, not imported Putty settings. need a global setting to update this ASG 2017, ASG SSH settings so we can eliminate the key error from the warning order.
Reply
#11
(04-04-2017, 02:58 PM)kmook Wrote:
(04-04-2017, 12:41 PM)Michael Scholz Wrote: Hi...this is a setting in putty you can adjust in the ssh-settings of the connection.  IN putty look in the ssh-kex settings:

[Image: attachment.php?aid=3321]

best regards,
Michael



So if I setup 1000 SSH switch connections in ASG, that means I have to create 1000 duplicate SSH switch connections in putty, set that algorithm parameter, then in ASG link each switch connection to it's putty equivalent??

[Image: attachment.php?aid=3322]

Looks like from my testing you need to change this setting under "Default Settings" under Putty save it, then apply the key order change. This has been working for me.
Reply
#12
(10-05-2017, 06:40 PM)mrutlan1 Wrote:
(04-04-2017, 09:52 AM)DevOma Wrote: Via Putty? We have implemented the latest version of Putty with ASG-RD 2017...

We have modified putty SSH key connections that set this warning, and move the diffie-hellman up to eliminate it from the warning, apply it but still getting the warning on cisco type devices, but we shouldn't ben getting it once the putty SSH key warning is changed. I have putty on my own device, would like to get rid of the warning but it makes the tabbed connection look sloppy and confusing. This changed from ASG 2016, where we never got this warning message. Using ASG SSH connection setting, but can only modify putty locally on PC. Any advice here please ?
All of our SSH connections are using ASG internally SSH settings, not imported Putty settings. need a global setting to update this ASG 2017, ASG SSH settings so we can eliminate the key error from the warning order.
Upon looking at the Putty Settings, you have to focus on Default Settings, so retains the changes in ASG. Looks like from my testing you need to change this setting under "Default Settings" under Putty save it, then apply the key order change. This has been working for me. Thank you, but this was annoying change from managing tabbed windows, and we have seen it with older cisco devices so far.
Reply
#13
Maybe I can't follow completeley but normally you have to just create a connection in putty and save it (locally). This can be done right out of ASG-RD.

Test the connection and if it's working properly you can copy that settings to the environment ( db) with the putty session administration. Then all db-based installations have that settings available by importing that setting from the environment also with the putty session administration. Have you tried that ?
Best regards,
Michael
-- michael.scholz@asg.com --
Reply
#14
Hi,
I have the same problem described from User kmook above. I have already tried to change the putty settings of the connection but when I open a new session to the same host the error still occurs and the putty settings are like before I have change it. Where I can permanent change the putty settings so that I "diffie-hellman-group1-sha1" is not below the warning mark?

Thank you.

BR
Reply
#15
Putty settings are configured inside putty - you can save these settings and then select these settings to be used in your connection - if you save it as default you don't need to select a session in ASG-RD - else configure settings save it by name and select it your connection - if you edit the Default connection Properties you can ensure that these settings will be used for every new connection
Regards/Gruss
Oliver
Reply
#16
It works. Thank you.
Reply




Users browsing this thread: 1 Guest(s)