No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

There are 30 seconds delay when SSH to S5700 switch

Publication Date:  2015-09-15 Views:  199 Downloads:  0
Issue Description
Customer configured SSH service on our S5700. When he access to our S5700 switch through one SSH client. He found there are 30 seconds delay during the access
Through the debugging information (debugging ssh server all all ), we found the debugging is stuck in below process. There is around 21 seconds delay.
<Test>
Jul 17 2015 22:28:41.60.3+01:00 Test SSH/7/NO_INFO:Begin to compute the dh shared key.
<Test>
Jul 17 2015 22:29:03.790.1+01:00 Test SSH/7/RECV_PKT:Received ssh2 msg ecdh reply packet.
<Test>
Handling Process

1.Analyzed the configuration and confirmed that everything is fine. Trying to set up one test environment to verify it.
2.From the debugging information, I found the SSH client customer used is OpenSSH_6.9
Jul 17 2015 22:28:40.830.1+01:00 CPE-POLIZIA_LOCALE SSH/7/VERSION_RECEIVE:Version information received on VTY 1, version string:SSH-2.0-OpenSSH_6.9.
3.Using Cygwin linux environment to built ssh client. after that, test SSH service and faced same issue with cusotmer. There is big delay when S5700 campute DH shared key.




4.Debugging this case with RnD. And we found OpenSSH tool is using long bit key with 2068/4097. Since S5700 is low-end switch, the performance is not very strong and it takes long time to compute the shared key.
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<8192<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug2: bits set: 2068/4096
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

5.Based on above analysis, we provide one solution: Change the key algorithm on SSH client.
Add below command in file /root/.ssh/config or /etc/ssh/ssh_config
KexAlgorithms=diffie-hellman-group1-sha1



After that, we tested it and there is only 2~3 seconds delay. The problem is solved.

Root Cause
The OpenSSH client uses long bit SSH key and exceed the performance of S5700. S5700 takes long time to compute the DH shared key with SSH client.
Solution
Based on above analysis, we provide one solution: Change the key algorithm on SSH client.
Add below command in file /root/.ssh/config or /etc/ssh/ssh_config
KexAlgorithms=diffie-hellman-group1-sha1

END