DES warning message when connecting to Cisco ASA via SSH

Question

I had to replace a Cisco ASA 5510 that died.

I have everything back up and running however when I connect to the ASA via SSH (through Putty), I receive the following warning message:

"The first cipher supported by the server is single-DES, which is below the configured warning threshold. Do you want to continue with this connection?"

I have tried to solve this by recreating the security keys with the following two commands

crypto key zeroize rsa
crypto key generate rsa noconfirm

However nothing has changed. I still receive the warning message when I connect via SSH.

score 1 · Accepted Answer · answered May 21 '09 at 14:37

1

Issuing the following seems to have resolved the problem. Am I correct is assuiming that I'm now using the more secure key? I never had the "ssh version 2" command running on my ASA 5510 that died on me. Perhaps there was a stronger key originally generated on it using sparks answer?

config t
ssh version 2

answered May 21 '09 at 14:37

Richard West

2,978
12
44
49

Specifying version 2 should also do the trick, I forgot that 1 is still supported to be honest. – sclarson May 21 '09 at 15:28

score 0 · Answer 2 · answered May 21 '09 at 15:22

0

Does your replacement ASA unit definitely have a 3DES/AES license installed? Sounds like it might not.

Have a look at www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/DESlic.html and see if that's any use.

(apparently I'm not allowed to post hyperlinks, so I apologise if this suggestion isn't in the most useful format)

Cheers, jmi

answered May 21 '09 at 15:22

Jamie MacIsaac

103
5

Good point Jamie, and I should have clairified that yes we do have the 3DES license. – Richard West May 21 '09 at 18:42

DES warning message when connecting to Cisco ASA via SSH

2 Answers2