9

I'm trying to connect from a Cisco 886VA to a Juniper EX2200 via SSH. The connection fails with the following messages on the Cisco:

*Jan 17 09:51:20.823: SSH2 CLIENT 0: Server has chosen 2056 -bit dh keys
*Jan 17 09:51:20.823: %SSH-3-INV_MOD: Invalid modulus length

Is there any way to make this work by changing some parameter on either the Juniper or Cisco device?

IOS Version: 15.2(4)M5

JunOS Version: 12.3R3.4

Sebastian Wiesinger
  • 8,117
  • 3
  • 34
  • 60
  • Are there any other solutions ? Using the 4096 setting has broken a tool to login and will require development as this is considered as a non standard setting. Thank You Graham – Graham May 17 '17 at 09:17

3 Answers3

9

This is definitely an issue with your DH key size.

Try this:

cisco886va(config)#ip ssh dh min size 4096
Sebastian Wiesinger
  • 8,117
  • 3
  • 34
  • 60
Ryan Foley
  • 5,509
  • 4
  • 24
  • 43
8

Junos's /etc/ssh/primes file had an off by 8 bug. That is, moduli in that file advertized to be 2048bits, were in fact 2056 bits long.

Cisco SSH client is very strict in this regard, and hence refuses to proceed. As a work around, delete /etc/ssh/primes file from your Junos device. This will cause Junos to use Group14 moduli.

Thanks

Art
  • 81
  • 1
0

you need to generate new rsa key on cisco and specify larger modulus for the key

pyatka
  • 926
  • 4
  • 7
  • This is the Diffie-Hellman parameter, not the modulus from the RSA key. We did create a 2048 bit RSA key on the Cisco. – Sebastian Wiesinger Jan 17 '14 at 10:05
  • may be, you should try to generate key with modulus-size 4096. this is worked for me, i`ve same error (%SSH-3-INV_MOD), but not with juniper. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-a1-xe-3se-3850-cr-book_chapter_0110.pdf – pyatka Jan 17 '14 at 10:25