You’ve performed a code upgrade on an ASA firewall and suddenly Rancid decides it won’t login. You’ll get the message:

spawn ssh -c 3des -x -l <user> <device>
no matching cipher found: client 3des-cbc server aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr
Error: Couldn't login: <device>

This basically means that the default 3des cipher is unsupported on the ASA.


The answer is quite simple. Just needs a one liner in the .cloginrc to prefer aes ciphers:

add cyphertype * aes128-ctr,aes128-cbc,3des-cbc

Access has resumed. Great post with some more detail:

SSH Cipher Updates in Cisco ASA 9.4(3)12

Rancid Logins Fail After ASA Upgrade to 9.1(7)
Tagged on:         

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.