Last year I ended up upgrading my Blackjack i607 cell phone to a Blackberry 8820. Basically I did this so it was easier to manage emails from my various contracts. I don’t really have to go into the basic functions of the phone, since many of you may already have one joined at your hip. One of the software packages I would recommend downloading and installing on your phone is called MidpSSH — it’s a free telnet/SSH client that works pretty well and will allow you to manage your equipment. I installed and tested a few others out there, but many of the free versions had too many bugs.

Since my Blackberry was already tied to the client’s Blackberry server to service my email portion, I had the ability to browse and conduct most management functions (i.e. ping checks) over the Internet. When managing a device with this utility, you have to realize you won’t be able to do so with blazing speeds. In fact, it may seem like you are running over a dial-up connection when you first try it out, but in the end it may still prove useful for any quick fix.

Yesterday while I was in transit, I received a call for support to look at a core router. The client was trying to determine the optimal routing path for several servers through traceroute. Unfortunately, the client found that in passing ICMP packets to a certain core router in the path that he was unable to receive the echo-replies. I quickly remembered that there was a DENY_ICMP access-list assigned on the interface that was most likely prohibiting ICMP all together and needed to figure out the quickest way to remove it.

(On a side note, one of my personal goals this year was to minimize my own clutter. One of the ways of achieving that was to reduce the amount of hardware I carried around in my pockets and my backpack, which meant my laptop and the many cables/accessories that came with it will now sit at home.)

To give you some background of the client, they have an external monitoring service co-located in downtown LA. One of the devices in the co-lo is a router that has a VPN tied back to the client office and allows telnet access on the external interface from the Blackberry server IP address.

In order to access the equipment, I opened up the MidpSSH utility on the Blackberry, selected ‘Sessions’, typed in the IP address of the co-lo router, and selected ‘Connect’. After entering my credentials, I was immediately logged into the co-lo router. From this point, I had to reverse telnet (with the /source-interface option) to a distribution switch that was connected to the core router. From the distribution switch I was able reverse SSH into the core router and remove the ACL from the interface.

All in all, it took me only 15 minutes.

To help prep for an internal security audit, I needed to upgrade the IOS on a few 3800 series routers. Last night, I uploaded the 12.4(20)T image into each router and scheduled the reboot with a description:

reload in 2:30 IOS Upgrade for Security Audit

When I woke up this morning to check on the routers, I wasn’t able to log in using SecureCRT. I was, however, able to connect with Putty and OpenSSH from a linux command-line. I deleted the SSH keys in SecureCRT, but that didn’t seem to resolve my problem. Through Putty, I ran a ’show log’ which gave me the following error message:

SSH2 0: Invalid modulus length

I needed a little more detail and ran ‘debug ip ssh detail’ which produced the following output:

000111: .Dec 2 18:15:14.182 UTC: SSH1: starting SSH control process
000112: .Dec 2 18:15:14.182 UTC: SSH1: sent protocol version id SSH-2.0-Cisco-1.25
000113: .Dec 2 18:15:14.186 UTC: SSH1: protocol version id is - SSH-2.0-SecureCRT_5.0.3 (build 1040) SecureCRT
000114: .Dec 2 18:15:14.186 UTC: SSH2 1: SSH2_MSG_KEXINIT sent
000115: .Dec 2 18:15:14.186 UTC: SSH2 1: SSH2_MSG_KEXINIT received
000116: .Dec 2 18:15:14.186 UTC: SSH2:kex: client->server enc:aes256-cbc mac:hmac-sha1
000117: .Dec 2 18:15:14.186 UTC: SSH2:kex: server->client enc:aes256-cbc mac:hmac-sha1
000118: .Dec 2 18:15:14.186 UTC: SSH2 1: SSH2_MSG_KEX_DH_GEX_REQUEST received
000119: .Dec 2 18:15:14.186 UTC: SSH2 1: Range sent by client is - 1024 < 2046 < 2046
000120: .Dec 2 18:15:14.186 UTC: SSH2 1: Invalid modulus length
000121: .Dec 2 18:15:14.290 UTC: SSH1: Session disconnected - error 0×00

The problem appears to be with Diffie-Hellman. Googling around, I found that I needed to move DH to the top of the list:

Options/Session Options/Connection/SSH2/Key Exchange

Unfortunately, my version of SecureCRT is outdated so the only way I can resolve this is to upgrade or stick with Putty and OpenSSH.