Device: S5720-52X-PWR-SI-AC
Version: V200R010C00SPC600
| Issue Description | We are having issues connecting with the latest version of Patty 0.72 to the switch S5720-52X-PWR-SI-AC with version V200R010C00SPC600. |
| Alarm Information | After trying to login we receive the error below:
|
| Handling Process | First we tried with third-party version 0.69 and it was working well. Then we connected to the device using telnet and entered the next commands: <Huawei>terminal logging <Huawei>terminal monitor <Huawei>display terminal 0Then we connected one more time using the latest Patty session and collected the output of the terminal that would put below. After finishing the test we ran the next commands: <Huawei>undo terminal logging <Huawei>undo terminal monitor
Aug 14 2019 16:33:31.211.1+01:00 SwCore303 SSH/7/ACCEPT:Received connection from 172.29.1.176. Aug 14 2019 16:33:31.221.1+01:00 SwCore303 SSH/7/FSM_MOVE:FSM moved from SSH_Main_Connect to SSH_Main_VersionMatch. Aug 14 2019 16:33:31.231.1+01:00 SwCore303 SSH/7/VERSION_RECEIVE:Version information received on VTY 1, version string:SSH-2.0-PaTTY_Release_0.72. Aug 14 2019 16:33:31.231.2+01:00 SwCore303 SSH/7/SEND_PKT:Sent ssh2 msg kexinit packet. Aug 14 2019 16:33:31.231.3+01:00 SwCore303 SSH/7/FSM_MOVE:FSM moved from SSH_Main_VersionMatch to SSH_Main_SSHProcess. Aug 14 2019 16:33:31.241.1+01:00 SwCore303 SSH/7/READ_PKT:Expected packet type:ssh2 msg kex init, failed to read data from packet! Aug 14 2019 16:33:31.241.2+01:00 SwCore303 SSH/7/RECV_PKT:Received ssh2 msg kex init packet. Aug 14 2019 16:33:31.241.3+01:00 SwCore303 SSH/7/KEX_DERECTION:Kex for direction is in. Aug 14 2019 16:33:31.241.4+01:00 SwCore303 SSH/7/CHOOSE_ENCRYPT:Chose encryption algorithm:aes256-ctr. Aug 14 2019 16:33:31.241.5+01:00 SwCore303 SSH/7/CHOOSE_MAC:Chose MAC algorithm:hmac-sha2-256. Aug 14 2019 16:33:31.241.6+01:00 SwCore303 SSH/7/KEX_DERECTION:Kex for direction is out. Aug 14 2019 16:33:31.241.7+01:00 SwCore303 SSH/7/CHOOSE_ENCRYPT:Chose encryption algorithm:aes256-ctr. Aug 14 2019 16:33:31.241.8+01:00 SwCore303 SSH/7/CHOOSE_MAC:Chose MAC algorithm:hmac-sha2-256. Aug 14 2019 16:33:31.241.9+01:00 SwCore303 SSH/7/CHOOSE_KEX:Choose Kex algorithm:diffie-hellman-group-exchange-sha1. Aug 14 2019 16:33:31.241.10+01:00 SwCore303 SSH/7/CHOOSE_PK:Choose PK algorithm:ecdsa-sha2-nistp521. Aug 14 2019 16:33:31.241.11+01:00 SwCore303 SSH/7/FSM_MOVE:FSM moved from SSH_Sub1_KEX_Init to SSH_Sub1_KEX_GEX_Group. Aug 14 2019 16:33:31.251.1+01:00 SwCore303 SSH/7/RECV_PKT:Received 34 packet. Aug 14 2019 16:33:31.261.1+01:00 SwCore303 SSH/7/SEND_PKT:Sent 31 packet. <SwCore303> Aug 14 2019 16:33:31.261.2+01:00 SwCore303 SSH/7/FSM_MOVE:FSM moved from SSH_Sub1_KEX_GEX_Group to SSH_Sub1_KEX_GEX_INIT. Aug 14 2019 16:33:31.291.1+01:00 SwCore303 SSH/7/RECV_PKT:Received ssh2 msg kex dh gex init packet. Aug 14 2019 16:33:31.291.2+01:00 SwCore303 SSH/7/FSM_MOVE:FSM moved from SSH_Sub1_KEX_GEX_INIT to SSH_Sub1_KEX_GEX_Reply. Aug 14 2019 16:33:31.291.3+01:00 SwCore303 SSH/7/NO_INFO:Begin to compute the dh shared key. <SwCore303> Aug 14 2019 16:33:34.421.1+01:00 SwCore303 SSH/7/RECV_PKT:Received ssh2 msg ecdh reply packet. Aug 14 2019 16:33:34.421.2+01:00 SwCore303 SSH/7/RECV_PKT:Received ssh2 msg kex dh gex init packet. Aug 14 2019 16:33:34.421.3+01:00 SwCore303 SSH/7/SEND_PKT:Sent SSH2_MSG_KEX_DH_GEX_REPLY packet. Aug 14 2019 16:33:34.421.4+01:00 SwCore303 SSH/7/SEND_PKT:Sent SSH2_MSG_NEWKEYS packet. Aug 14 2019 16:33:34.421.5+01:00 SwCore303 SSH/7/FSM_MOVE:FSM moved from SSH_Sub1_KEX_GEX_Reply to SSH_Sub1_KEX_NewKey. <SwCore303> Aug 14 2019 16:33:35.841.1+01:00 SwCore303 SSH/7/READ_PKT:Expected packet type:ssh2 msg newkeys, failed to read data from packet! Aug 14 2019 16:33:35.841.2+01:00 SwCore303 SSH/7/DISCONNECT:The connection is closed by SSH server, current FSM is SSH_Main_SSHProcess. Aug 14 2019 16:33:35.841.3+01:00 SwCore303 SSH/7/FSM_MOVE:FSM moved from SSH_Main_SSHProcess to SSH_Main_Disconnect. In the end we set the RSA encryption algorithm on Patty Algorithm Selection Policy as the default selection in the SSH Host Keys. |
| Root Cause | After analyzing the output it seems that this is a well know Patty software issue. The Patty software has a fixed order for the algorithm selection policy. If one fails then it would not go further to check if other are working. RSA should have a higher priority than ECDSA for the connection to work. We suspect the problem relies on the software itself. |
| Solution | Change the encryption algorithms on Patty software by setting the RSA option as the default selection for the host keys in the SSH Host Keys.
Furthermore, one important point is to delete the old existing keys if there are keys stored in the registry. You can find them in the Windows registry under \HKEY_CURRENT_USER\Software\%username%\PaTTY\SshHostKeys |
| Suggestions | Make sure to check the algorithm that the third Patty software uses as default and mirror with the one that the device uses also by default. |
