By now, you’ve the heard the news that Cisco has released the latest version of IOS.  There are theories circling around as to why Cisco skipped versions 13.x and 14.x, which may or may not be attributed to superstition.  As time goes by I’m certain we’ll learn the real reason.

I’m not going to bother with all the new features and which hardware is and isn’t supported.  I’m sure Google can point you in the right direction if you really want more information.  If you are just wondering whether or not you can test, play, or study with Dynamips using IOS version 15.x, then the answer is ‘yes’.

Here’s a short video I created just to show you the version loads:

bbb-ios15-on-dynamips

Notes:

-The Advanced Enterprise image does load with a NPE model type of ‘npe-200′, but a warning will be displayed as follows:

————————————————————–
This Version of Cisco IOS Software is not supported on NPE200.
Please select a version of Cisco IOS software compatible with
this processor from http://www.cisco.com.
————————————————————–

Unfortunately I can’t tell you which features are rendered useless using a lower model type, you’ll just have to figure that out after a few hours/days of testing yourself.

If you are planning on loading an ISR 2821, 3825, or 3845 router with this particular WAAS module and any of these Advanced Enterprise IOS versions:

12.4.15T9

12.4.20T1

12.4.20.T2

12.4.20.T3

12.4.22T

12.4.22T1

You’ll soon find that the router will hang on start-up.  To overcome this problem you’ll need to upgrade to 12.4.24T in order for the router to boot up properly.  Prior to my upgrade, I was running 12.4.13b which booted up fine, so it appears this issue only appears in the T train.

To help prep for an internal security audit, I needed to upgrade the IOS on a few 3800 series routers. Last night, I uploaded the 12.4(20)T image into each router and scheduled the reboot with a description:

reload in 2:30 IOS Upgrade for Security Audit

When I woke up this morning to check on the routers, I wasn’t able to log in using SecureCRT. I was, however, able to connect with Putty and OpenSSH from a linux command-line. I deleted the SSH keys in SecureCRT, but that didn’t seem to resolve my problem. Through Putty, I ran a ’show log’ which gave me the following error message:

SSH2 0: Invalid modulus length

I needed a little more detail and ran ‘debug ip ssh detail’ which produced the following output:

000111: .Dec 2 18:15:14.182 UTC: SSH1: starting SSH control process
000112: .Dec 2 18:15:14.182 UTC: SSH1: sent protocol version id SSH-2.0-Cisco-1.25
000113: .Dec 2 18:15:14.186 UTC: SSH1: protocol version id is - SSH-2.0-SecureCRT_5.0.3 (build 1040) SecureCRT
000114: .Dec 2 18:15:14.186 UTC: SSH2 1: SSH2_MSG_KEXINIT sent
000115: .Dec 2 18:15:14.186 UTC: SSH2 1: SSH2_MSG_KEXINIT received
000116: .Dec 2 18:15:14.186 UTC: SSH2:kex: client->server enc:aes256-cbc mac:hmac-sha1
000117: .Dec 2 18:15:14.186 UTC: SSH2:kex: server->client enc:aes256-cbc mac:hmac-sha1
000118: .Dec 2 18:15:14.186 UTC: SSH2 1: SSH2_MSG_KEX_DH_GEX_REQUEST received
000119: .Dec 2 18:15:14.186 UTC: SSH2 1: Range sent by client is - 1024 < 2046 < 2046
000120: .Dec 2 18:15:14.186 UTC: SSH2 1: Invalid modulus length
000121: .Dec 2 18:15:14.290 UTC: SSH1: Session disconnected - error 0×00

The problem appears to be with Diffie-Hellman. Googling around, I found that I needed to move DH to the top of the list:

Options/Session Options/Connection/SSH2/Key Exchange

Unfortunately, my version of SecureCRT is outdated so the only way I can resolve this is to upgrade or stick with Putty and OpenSSH.