[c-nsp] 12.4(20)T oddities

James Baker James.Baker at chelmer.co.nz
Sun Aug 31 16:03:57 EDT 2008 

Hi

The problem with SecurtCRT and 20T seems to be around the Key exchange.
What I did to solve this for me was to move diffie-hellman to be the
first key which fixed it.

I'm still not 100% confidant of 20T as well.

James



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
Sent: Saturday, 30 August 2008 9:04 p.m.
To: 'Cisco-nsp'
Subject: [c-nsp] 12.4(20)T oddities

I upgraded a 2811 to 20T the other night.  I did another 2811 tonight 
after a different maintenance window.  The routers are basically 
identical, except for the quantity of modules installed in them.  I 
noticed the first night that I was seeing a number of tracebacks. 
Nothing was a show-stopper though.  One happened on boot and I don't 
have it handy at the moment.  Here are 2 that I still have in the log:


000435: Aug 27 00:47:47 CDT: %SCHED-7-WATCH: Attempt to enqueue 
uninitialized watched queue (address 0). -Process= "Call Manager XML 
client", ipl= 0, pid= 342,  -Traceback= 0x41774928 0x42DF4DF8 0x42B15C58

0x42B54260

000440: Aug 27 00:49:20 CDT: %SCHED-7-WATCH: Attempt to enqueue 
uninitialized watched queue (address 0). -Process= "SSH Process", ipl= 
0, pid= 317,  -Traceback= 0x41774928 0x42DF4DF8 0x42B15C58 0x42B54260


Another odd thing that I noticed was that SSH from SecureCRT broke after

the upgrade.  SSH from a Linux command line (OpenSSH) still works 
though.  This error is logged on the router:


000552: Aug 30 03:45:26.430 CDT: SSH2 0:  Invalid modulus length


I wiped the router's RSA keys and regenerated them first at with a 2048 
bit modulus and then 1024 bit.  Neither solved the problem.  I even 
removed the local SecureCRT known_hosts key for that host (though that 
shouldn't have matter because SCRT will prompt you if the key has 
changed).  Below is the output from debug ip ssh packet/detail:


001258: Aug 30 03:53:11.320 CDT: SSH0: starting SSH control process
001259: Aug 30 03:53:11.320 CDT: SSH0: sent protocol version id 
SSH-2.0-Cisco-1.25
001260: Aug 30 03:53:11.324 CDT: SSH0: protocol version id is - 
SSH-2.0-SecureCRT_6.0.0 (build 183) SecureCRT
001261: Aug 30 03:53:11.324 CDT: SSH2 0: send:packet of  length 344 
(length also includes padlen of 5)
001262: Aug 30 03:53:11.324 CDT: SSH2 0: SSH2_MSG_KEXINIT sent
001263: Aug 30 03:53:11.324 CDT: SSH2 0: ssh_receive: 424 bytes received
001264: Aug 30 03:53:11.324 CDT: SSH2 0: input: total packet length of 
424 bytes
001265: Aug 30 03:53:11.324 CDT: SSH2 0: partial packet length(block 
size)8 bytes,needed 416 bytes,
                maclen 0
001266: Aug 30 03:53:11.324 CDT: SSH2 0: input: padlength 7 bytes
001267: Aug 30 03:53:11.324 CDT: SSH2 0: SSH2_MSG_KEXINIT received
001268: Aug 30 03:53:11.324 CDT: SSH2:kex: client->server enc:aes128-cbc

mac:hmac-md5
001269: Aug 30 03:53:11.328 CDT: SSH2:kex: server->client enc:aes128-cbc

mac:hmac-md5
001270: Aug 30 03:53:11.328 CDT: SSH2 0: ssh_receive: 24 bytes received
001271: Aug 30 03:53:11.328 CDT: SSH2 0: input: total packet length of 
24 bytes
001272: Aug 30 03:53:11.328 CDT: SSH2 0: partial packet length(block 
size)8 bytes,needed 16 bytes,
                maclen 0
001273: Aug 30 03:53:11.328 CDT: SSH2 0: input: padlength 6 bytes
001274: Aug 30 03:53:11.328 CDT: SSH2 0: SSH2_MSG_KEX_DH_GEX_REQUEST 
received
001275: Aug 30 03:53:11.328 CDT: SSH2 0: Range sent by client is - 1024 
< 2046 < 2046
001276: Aug 30 03:53:11.328 CDT: SSH2 0:  Invalid modulus length
001277: Aug 30 03:53:11.428 CDT: SSH0: Session disconnected - error 0x00


Any thoughts?  I'm holding off on any more 20T upgrades until this can 
be resolved.  While I do have a local NOC server that I can SSH from if 
needed I'm not inclined to hinder my management abilities like that.

As I was writing the config and disconnecting this 3rd traceback popped
up:

001301: Aug 30 03:59:06 CDT: %SCHED-7-WATCH: Attempt to enqueue 
uninitialized watched queue (address 0). -Process= "Virtual Exec", ipl= 
0, pid= 354,  -Traceback= 0x41774928 0x42DF4DF8 0x42B15C58
0x42B54260[OK]


Does anyone have any thoughts on any of this?  So far this has been the 
most problematic T release I've used.  They are generally more reliable.

  So far I haven't noticed any VoIP issues or other actual 
show-stoppers.  I'm itching to try out some of the new and long-awaited 
features but I may have to wait for a (20)T1 to do that outside of a
lab.

Thanks
  Justin
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
----------

The information contained in this e-mail and any attachments is confidential
and is intended for the attention and use of the named addressee(s) only.
Any views expressed in this message are those of the individual sender and
may not necessarily reflect the views of Chelmer Limited.

#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared 
by NetIQ MailMarshal
#####################################################################################

More information about the cisco-nsp mailing list